- Print
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
The Windows Sensor can listen, alert, and automate based on various Defender events.
This is done by ingesting artifacts from the Defender Event Log Source and using Detection & Response rules to take the appropriate action.
A config template to alert on the common Defender events of interest is available here. The template can be used in conjunction with Infrastructure Service or its user interface in the web app.
Specifically, the template alerts on the following Defender events:
windows-defender-malware-detected (
event ID 1006
)windows-defender-history-deleted (
event ID 1013
)windows-defender-behavior-detected (
event ID 1015
)windows-defender-activity-detected (
event ID 1116
)
Was this article helpful?