Windows Defender Operational Log
WindowsExecution EvidenceDisk ImageSIEM / Log Aggregator
Location
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtxDescription
Windows Defender antivirus operational log recording threat detections (Event 1116), remediation actions (Event 1117), real-time protection state changes (Event 5001/5004), and exclusion modifications.
Forensic Value
Defender logs reveal what the attacker deployed that triggered detection and what they did to evade it. Event 1116 contains the detected threat name, file path, and process that accessed it. Event 5001 timestamps when real-time protection was disabled, marking the window of unmonitored activity. Exclusion additions in the log show which paths or processes the attacker whitelisted to avoid future detection.
Tools Required
KAPEEvtxECmd (Eric Zimmerman)Event Log ExplorerChainsaw
Collection Commands
KAPE
kape.exe --tsource C: --tdest C:\output --target EventLogs
EvtxECmd
EvtxECmd.exe -f "C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx" --csv C:\output --csvf Defender.csv
PowerShell
Get-WinEvent -FilterHashtable @{LogName="Microsoft-Windows-Windows Defender/Operational"; Id=1116,1117,5001} | Export-Csv C:\output\defender_detections.csvChainsaw
chainsaw hunt "C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx" -s sigma/
Collection Constraints
- •Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.
- •Centralized log copies may normalize, truncate, or drop fields relative to the original on-host artifact. Preserve the local source when scope and access permit.
MITRE ATT&CK Techniques
T1562.001T1204.002