Monitoring system security is crucial for maintaining a secure IT environment. One effective way to track potential security threats is by monitoring Windows Defender malware detections through custom event log alerts.
Windows Defender provides built-in protection against malware and other security threats. By monitoring its event logs, IT teams can stay informed about potential security risks and take appropriate actions to maintain security compliance.
To monitor Windows Defender activity, you can configure a threshold profile that tracks relevant security events using Windows Event Viewer.
1. Access the Admin section, and select Monitoring and Automation> Thresholds, then click the Add Profile button. (Or you can add the thresholds to an already existing profile, by selecting the desired threshold profile)
2. Enter the profile name, then click on Save.
3. On the Threshold Profiles page, click the New Item button.
4. Click on the Custom option, and add the following details.
- Category: Events By Source
- Alert Severity: Select the desired severity for your alerts.
- Source Folder: Other
- Custom Folder: Microsoft-Windows-Windows Defender/Operational
- Windows Event Severity: Warning
- Source Names or Event IDs: 1006,1007,1013,1015,1116,1117,1118
5. Click on Add to save your threshold item.
6. Click on Save.
All done. If you have created a new profile, make sure to assign it to your devices.
Thank you joseph.foran, for the idea. For more details, check out the thread on our community.
