LimaCharlie

The Windows LimaCharlie sensor can listen, alert and automate based on various <a href="https://www.microsoft.com/en-ca/windows/comprehensive-security" target="_blank" rel="nofollow noopener noreferrer">Windows Defender</a> events.

This is done through <a href="https://doc.limacharlie.io/docs/documentation/docs/external_logs.md#from-real-time-events" target="_blank" rel="nofollow noopener noreferrer">listening for the Defender Event Log Source</a> and using <a href="https://doc.limacharlie.io/docs/documentation/docs/dr.md" target="_blank" rel="nofollow noopener noreferrer">D&amp;R rules</a> to take the appropriate action.

A template to alert on the common Defender events of interest is available <a href="https://github.com/refractionPOINT/templates/blob/master/anti-virus/windows-defender.yaml" target="_blank" rel="nofollow noopener noreferrer">here</a>. The template can be used in conjunction with Infrastructure As Code Service or its user interface in the web app.

Specifically, the template alerts on the following Defender events:

windows-defender-malware-detected (event ID 1006)

windows-defender-history-deleted (event ID 1013)

windows-defender-behavior-detected (event ID 1015)

windows-defender-activity-detected (event ID 1116)

- windows-defender-malware-detected (event ID 1006)
- windows-defender-history-deleted (event ID 1013)
- windows-defender-behavior-detected (event ID 1015)
- windows-defender-activity-detected (event ID 1116)

Do you have an example of the D&R rule based on Windows Defender data?

Technical Documentation

Slack Community

Course

GitHub

Swagger Doc

Release Notes

Find answers and get help from Intercom Support and Community Experts