Windows Defender Logs
Overview
Section titled “Overview”Evidence: Windows Defender Logs
Description: Collect Windows Defender Logs
Category: Applications
Platform: windows
Short Name: wnddfndrls
Is Parsed: No
Sent to Investigation Hub: No
Collect File(s): Yes
Background
Section titled “Background”Windows Defender (now Microsoft Defender) is the built-in antivirus solution in Windows. It maintains support logs, EVTX event logs, and MpCmdRun command-line scan logs across current and legacy Windows installations.
Data Collected
Section titled “Data Collected”This collector gathers structured data about windows defender logs.
Collection Method
Section titled “Collection Method”This collector gathers Windows Defender support logs, event logs from both current and Windows.old installations, and MpCmdRun logs from Microsoft AntiMalware and Windows Defender directories.
Forensic Value
Section titled “Forensic Value”Windows Defender logs are critical for investigating malware detections on Windows systems, providing scan results, real-time protection events, threat intelligence, and command-line scan activities. They’re often the primary source of antivirus data on modern Windows endpoints.