Microsoft Defender
Microsoft Defender for Endpoint is Microsoft's built-in antivirus and EDR solution for Windows, macOS, Linux and mobile.
EnginsightGlobal Fields (4)
| Field | Type |
|---|---|
ngs.id Unique identifier for the log entry. | string |
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Reference-Specific Fields (105)
| Field | Type |
|---|---|
windef.Product_Status_Flags Bit-mask flags that summarise the current Defender product state (e.g., real-time protection on/off, engine outdated, passive mode). | text_general [] |
windef.Event_Symbolic_Name Symbolic identifier of the Windows-Defender event (e.g., MALWARE_DETECTED, CLEANUP_SUCCESS). | string |
windef.Scan_Resources Comma-separated list of file paths, process names or URLs that were scanned during the job. | text_general |
windef.State_Name Human-readable Defender service state after the operation (Running, Stopped, Vulnerable, ...). | text_general |
windef.New_Value Value of a Defender setting after it was changed (e.g., new registry data, policy value). | text_general |
windef.Old_Value Previous value of the same setting before the change took place. | text_general |
windef.Product_Name Friendly product name reported by the Defender engine (e.g., "Microsoft Defender for Endpoint"). | text_general |
windef.Product_Version Full product version string of the Defender installation. | string |
windef.Domain Active Directory or Entra ID domain name of the host on which the event occurred. | text_general |
windef.SID Security Identifier of the account associated with the event. | text_general |
windef.User User name (DOMAIN\user or UPN) under whose context the detection or action was logged. | text_general |
windef.Current_Engine_Version Version of the malware-scan engine currently active on the host. | string |
windef.Current_Security_Intelligence_Version Version number of the installed malware definition (security-intelligence) database. | string |
windef.Previous_Engine_Version Engine version installed before the most recent update. | string |
windef.Previous_Security_Intelligence_Version Definition version that was active prior to the latest update. | string |
windef.Security_Intelligence_Type Channel or package type of the signature update (e.g., AV, AS, NIS). | text_general |
windef.Security_Intelligence_Type_Index Numeric index corresponding to the security-intelligence type. | plong |
windef.Update_Type Update mechanism that delivered the engine or signatures (Manual, WSUS, MMPC, UNC path). | string |
windef.Update_Type_Index Numeric code for the update type. | plong |
windef.FWLink Microsoft FWLink URL providing additional help or threat information. | text_general |
windef.Path Full path of the file or resource involved in the detection or action. | text_general |
windef.State Integer value representing Defender operational state (0 = clean, 1 = infected,, ... ). | plong |
windef.Action_ID Numeric action identifier (e.g., 1 = Clean, 2 = Quarantine, 3 = Remove). | plong |
windef.Action_Name Textual name corresponding to the Action_ID. | text_general |
windef.Additional_Actions_ID Array of follow-up action IDs that were also executed on the item. | plong |
windef.Additional_Actions Readable list of the additional actions (e.g., RebootRequired, UserNotified). | string [] |
windef.Category_ID Numerical malware category (e.g., 1 = Virus, 4 = Trojan). | plong |
windef.Category_Name Textual malware category name. | string |
windef.Detection_ID GUID that uniquely identifies the detection event. | string |
windef.Detection_Time Timestamp when the threat was detected (ISO-8601). | pdate |
windef.Detection_User Account that triggered or is affected by the detection. | text_general |
windef.Error_Code Hexadecimal or decimal Windows error code returned by Defender. | string |
windef.Error_Message Short error message string. | text_general |
windef.Error_Description Verbose description of the error condition. | text_general |
windef.Execution_ID Numeric identifier of the execution context (scan run or remediation job). | plong |
windef.Execution_Name Friendly name for the execution context (e.g., "Quick Scan", "Context Scan"). | string |
windef.Origin_ID Integer indicating where the detection originated (0 = Local Scan, 1 = RealTime). | plong |
windef.Origin_Name Text form of Origin_ID. | string |
windef.Post_Clean_Status Result status after remediation (e.g., 0 = Success, 1 = Failed). | plong |
windef.Pre_Execution_Status Status of the item before remediation actions began. | plong |
windef.Process_Name Process executable involved in the detection (if applicable). | text_general |
windef.Severity_ID Numeric threat severity level (e.g., 4 = Severe). | plong |
windef.Severity_Name Textual name of the severity (Low, Moderate, High, Severe). | string |
windef.Source_ID Internal component that raised the event (numeric). | plong |
windef.Source_Name Component name matching Source_ID (e.g., "Real-Time Protection"). | string |
windef.Status_Code Overall status result code for the event. | plong |
windef.Threat_ID Internal numerical threat identifier used by Microsoft's malware encyclopedia. | plong |
windef.Threat_Name Family or variant name of the detected malware (e.g., Trojan:Win32/Emotet). | text_general |
windef.Type_ID Integer representing the threat type (e.g., 0 = Unknown, 1 = Virus). | plong |
windef.Type_Name Text form of the threat type. | string |
windef.Engine_Version Engine version that produced the detection (useful in telemetry events). | string |
windef.Security_Intelligence_Version Signature (security-intelligence) version at the time of detection. | string |
windef.AS_Security_Intelligence_Creation_Time Timestamp when antispyware definitions were built. | pdate |
windef.AS_Security_Intelligence_Version Version of antispyware definitions. | string |
windef.AV_Security_Intelligence_Creation_Time Timestamp when antivirus definitions were compiled. | pdate |
windef.AV_Security_Intelligence_Version Version of antivirus definitions. | string |
windef.BM_State Behaviour-monitor (AMSI) state string (Enabled, Disabled, ...). | string |
windef.Engine_Up_To_Date Boolean indicating whether the malware engine is current (true/false). | boolean |
windef.IOAV_State State of Internet-Oriented Antimalware scanning (Enabled, Audit, Disabled). | string |
windef.Last_AS_Security_Intelligence_Age Age in days since antispyware definitions were last updated. | plong |
windef.Last_AV_Security_Intelligence_Age Age in days since antivirus definitions were last updated. | plong |
windef.Last_Full_Scan_Age Days since the last full scan completed. | plong |
windef.Last_Full_Scan_End_Time Timestamp when the most recent full scan finished. | pdate |
windef.Last_Full_Scan_Source Trigger source of the last full scan (1 = User, 2 = Schedule). | plong |
windef.Last_Full_Scan_Start_Time Timestamp when the last full scan started. | pdate |
windef.Last_Quick_Scan_Age Days since the last quick scan completed. | plong |
windef.Last_Quick_Scan_End_Time Timestamp when the most recent quick scan finished. | pdate |
windef.Last_Quick_Scan_Source Trigger source of the last quick scan. | plong |
windef.Last_Quick_Scan_Start_Time Timestamp when the last quick scan began. | pdate |
windef.Latest_Engine_Version Most recent engine version available according to Microsoft update service. | string |
windef.Platform_Version Version number of the Defender platform components (mpclient.dll etc.). | string |
windef.Latest_Platform_Version Newest platform version available from Microsoft. | string |
windef.NRI_Engine_Version Network Reinspection and Isolation engine version. | string |
windef.NRI_Security_Intelligence_Version Signature version used by the NRI engine. | string |
windef.OA_State Overall assessment state (Green, Yellow, Red) reported by Defender. | string |
windef.Platform_Up_To_Date Boolean showing whether the platform binaries are current. | boolean |
windef.Product_Status Overall Defender product status string (e.g., "UpToDate", "TamperProtected"). | string |
windef.RTP_State Real-Time Protection (RTP) state string (On, Off, Audit). | string |
windef.Configuration Numeric code holding aggregated configuration bit flags. | plong |
windef.Feature_ID Numeric identifier of a Defender feature that raised an event. | plong |
windef.Feature_Name Readable name of the feature (e.g., "Tamper Protection"). | string |
windef.Remediation_User Account under which remediation actions were executed. | text_general |
windef.Dynamic_Security_Intelligence_Compilation_Timestamp Build time of the dynamic SI (machine-learning) model applied. | pdate |
windef.Dynamic_Security_Intelligence_Type Update type for dynamic security intelligence. | string |
windef.Dynamic_Security_Intelligence_Type_Index Numeric code for the dynamic SI type. | plong |
windef.Dynamic_Security_Intelligence_Version Version number of the dynamic SI package. | string |
windef.Persistence_Limit_Type Type of persistence limit policy triggered (Time, Count). | string |
windef.Persistence_Limit_Type_Index Numeric code for the persistence limit type. | string |
windef.Persistence_Limit_Value Configured value for the persistence limit (e.g., days allowed in Quarantine). | plong |
windef.Persistence_Path Path of the file or key that exceeded the persistence limit. | text_general |
windef.Cloud_Protection_Intelligence_Compilation_Timestamp Build timestamp of cloud-delivered protection intelligence. | text_general |
windef.Cloud_Protection_Intelligence_Type Type/category of cloud-protection intelligence package. | string |
windef.Cloud_Protection_Intelligence_Type_Index Numeric index for the cloud PI type. | plong |
windef.Cloud_Protection_Intelligence_Version Version identifier for the cloud intelligence bundle. | string |
windef.Feature_Index Index value used internally to reference a feature. | plong |
windef.Scan_ID Identifier for the scan session that produced the event. | string |
windef.Scan_Parameters Raw parameter string supplied to the scan (switches, scope). | string |
windef.Scan_Parameters_Index Numeric code set that encodes the scan parameters. | plong |
windef.Scan_Type Type of scan run (Quick, Full, Custom, Context). | string |
windef.Scan_Type_Index Numeric code of the scan type. | plong |
windef.Scan_Time_Hours Hours component of the total scan duration. | pint |
windef.Scan_Time_Minutes Minutes component of the scan duration. | pint |
windef.Scan_Time_Seconds Seconds component of the scan duration. | pint |
windef.Removal_Reason_Index Numeric reason code why an item was removed from Quarantine. | plong |
windef.Removal_Reason_Value Text equivalent of the removal reason (e.g., TimedOut, UserRestored). | string |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.