Microsoft Defender
Defender Antivirus/Endpoint logs: malware detections, remediation steps, cloud intel updates and tamper alerts.
EnginsightGlobal Fields (4)
| Field | Type |
|---|---|
ngs.id Unique identifier for the log entry. | string |
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Reference-Specific Fields (105)
| Field | Type |
|---|---|
windef.Product_Status_Flags | text_general [] |
windef.Event_Symbolic_Name | string |
windef.Scan_Resources | text_general |
windef.State_Name | text_general |
windef.New_Value | text_general |
windef.Old_Value | text_general |
windef.Product_Name | text_general |
windef.Product_Version | string |
windef.Domain | text_general |
windef.SID | text_general |
windef.User | text_general |
windef.Current_Engine_Version | string |
windef.Current_Security_Intelligence_Version | string |
windef.Previous_Engine_Version | string |
windef.Previous_Security_Intelligence_Version | string |
windef.Security_Intelligence_Type | text_general |
windef.Security_Intelligence_Type_Index | plong |
windef.Update_Type | string |
windef.Update_Type_Index | plong |
windef.FWLink | text_general |
windef.Path | text_general |
windef.State | plong |
windef.Action_ID | plong |
windef.Action_Name | text_general |
windef.Additional_Actions_ID | plong |
windef.Additional_Actions | string [] |
windef.Category_ID | plong |
windef.Category_Name | string |
windef.Detection_ID | string |
windef.Detection_Time | pdate |
windef.Detection_User | text_general |
windef.Error_Code | string |
windef.Error_Message | text_general |
windef.Error_Description | text_general |
windef.Execution_ID | plong |
windef.Execution_Name | string |
windef.Origin_ID | plong |
windef.Origin_Name | string |
windef.Post_Clean_Status | plong |
windef.Pre_Execution_Status | plong |
windef.Process_Name | text_general |
windef.Severity_ID | plong |
windef.Severity_Name | string |
windef.Source_ID | plong |
windef.Source_Name | string |
windef.Status_Code | plong |
windef.Threat_ID | plong |
windef.Threat_Name | text_general |
windef.Type_ID | plong |
windef.Type_Name | string |
windef.Engine_Version | string |
windef.Security_Intelligence_Version | string |
windef.AS_Security_Intelligence_Creation_Time | pdate |
windef.AS_Security_Intelligence_Version | string |
windef.AV_Security_Intelligence_Creation_Time | pdate |
windef.AV_Security_Intelligence_Version | string |
windef.BM_State | string |
windef.Engine_Up_To_Date | boolean |
windef.IOAV_State | string |
windef.Last_AS_Security_Intelligence_Age | plong |
windef.Last_AV_Security_Intelligence_Age | plong |
windef.Last_Full_Scan_Age | plong |
windef.Last_Full_Scan_End_Time | pdate |
windef.Last_Full_Scan_Source | plong |
windef.Last_Full_Scan_Start_Time | pdate |
windef.Last_Quick_Scan_Age | plong |
windef.Last_Quick_Scan_End_Time | pdate |
windef.Last_Quick_Scan_Source | plong |
windef.Last_Quick_Scan_Start_Time | pdate |
windef.Latest_Engine_Version | string |
windef.Platform_Version | string |
windef.Latest_Platform_Version | string |
windef.NRI_Engine_Version | string |
windef.NRI_Security_Intelligence_Version | string |
windef.OA_State | string |
windef.Platform_Up_To_Date | boolean |
windef.Product_Status | string |
windef.RTP_State | string |
windef.Configuration | plong |
windef.Feature_ID | plong |
windef.Feature_Name | string |
windef.Remediation_User | text_general |
windef.Dynamic_Security_Intelligence_Compilation_Timestamp | pdate |
windef.Dynamic_Security_Intelligence_Type | string |
windef.Dynamic_Security_Intelligence_Type_Index | plong |
windef.Dynamic_Security_Intelligence_Version | string |
windef.Persistence_Limit_Type | string |
windef.Persistence_Limit_Type_Index | string |
windef.Persistence_Limit_Value | plong |
windef.Persistence_Path | text_general |
windef.Cloud_Protection_Intelligence_Compilation_Timestamp | text_general |
windef.Cloud_Protection_Intelligence_Type | string |
windef.Cloud_Protection_Intelligence_Type_Index | plong |
windef.Cloud_Protection_Intelligence_Version | string |
windef.Feature_Index | plong |
windef.Scan_ID | string |
windef.Scan_Parameters | string |
windef.Scan_Parameters_Index | plong |
windef.Scan_Type | string |
windef.Scan_Type_Index | plong |
windef.Scan_Time_Hours | pint |
windef.Scan_Time_Minutes | pint |
windef.Scan_Time_Seconds | pint |
windef.Removal_Reason_Index | plong |
windef.Removal_Reason_Value | string |
Sample Log Event
Below is a representative JSON log entry showing key fields as they’re emitted by the system. Depending on the context of the event, some fields may be omitted if they’re not applicable.