Windows Defender Logs

Overview

Evidence: Windows Defender Logs Description: Collect Windows Defender Logs Category: Applications Platform: windows Short Name: wnddfndrls Is Parsed: No Sent to Investigation Hub: No Collect File(s): Yes

Background

Windows Defender (now Microsoft Defender) is the built-in antivirus solution in Windows. It maintains support logs, EVTX event logs, and MpCmdRun command-line scan logs across current and legacy Windows installations.

Data Collected

This collector gathers structured data about windows defender logs.

Collection Method

This collector gathers Windows Defender support logs, event logs from both current and Windows.old installations, and MpCmdRun logs from Microsoft AntiMalware and Windows Defender directories.

Forensic Value

Windows Defender logs are critical for investigating malware detections on Windows systems, providing scan results, real-time protection events, threat intelligence, and command-line scan activities. They're often the primary source of antivirus data on modern Windows endpoints.