Windows Defender events that are not recognized by the Insight Agent are sent to the Unparsed Data log set. Windows Defender logs flow into different log sets depending on the event. There is no event source to add and no configuration required in InsightIDR. If the Insight Agent finds new events being written to this Windows event log, then the Insight Agent will collect them and send them to InsightIDR.
You can read more about this Microsoft Windows event log at. You can view this event log on a Windows host with the Event Viewer under Applications and Services Logs > Microsoft > Windows > Microsoft Defender Antivirus > Operational. On all Windows endpoints where the Rapid7 Insight Agent is installed, the agent collects the log entries from the Defender Antivirus operational Windows event log.
If you are using Microsoft System Center Endpoint Protection (SCEP) and the events are written to the Windows Defender Antivirus operational log, then these events are collected in the same manner for Microsoft SCEP as for Windows Defender. Microsoft System Center Endpoint Protection Events
0 kommentar(er)
