Evidence: Windows Defender Logs
Description: Collect Windows Defender Logs
Category: Applications
Platform: windows
Short Name: wnddfndrls
Is Parsed: No
Sent to Investigation Hub: No
Collect File(s): Yes
Background
Windows Defender (now Microsoft Defender) is the built-in antivirus solution in Windows. It maintains support logs, EVTX event logs, and MpCmdRun command-line scan logs across current and legacy Windows installations.
Data Collected
This collector gathers structured data about windows defender logs.
Collection Method
This collector gathers Windows Defender support logs, event logs from both current and Windows.old installations, and MpCmdRun logs from Microsoft AntiMalware and Windows Defender directories.
Forensic Value
Windows Defender logs are critical for investigating malware detections on Windows systems, providing scan results, real-time protection events, threat intelligence, and command-line scan activities. They're often the primary source of antivirus data on modern Windows endpoints.
