The Windows LimaCharlie sensor can listen, alert and automate based on various Windows Defender events.

This is done through listening for the Defender Event Log Source and using D&R rules to take the appropriate action.

A template to alert on the common Defender events of interest is available here. The template can be used in conjunction with Infrastructure As Code Service or its user interface in the web app.

Specifically, the template alerts on the following Defender events:

  • windows-defender-malware-detected (event ID 1006)

  • windows-defender-history-deleted (event ID 1013)

  • windows-defender-behavior-detected (event ID 1015)

  • windows-defender-activity-detected (event ID 1116)

Did this answer your question?