How to Monitoring Windows Defender in the Endpoints

In previous article i describe how can manage Windows Defender from the Group Policy.

But in order to keep safe your Endpoints the most important step is the Monitoring and Alerting of any strange activity or Update issues that will add your Endpoint in dangerous or keep it out of date.

Today i will explain how can keep up to date the Windows Defender in the Endpoints , Centralize the Logs of the Windows Defender for Monitoring in order to enable different alerts for faster response

Microsoft has different solutions for the Monitoring and Alerting of Windows Defender in the Endpoints like Microsoft Endpoint Manager, Intune , Group Policy.

Today i will explain how can use Group Policy , WSUS and Event Logs to achieve the goal.

How to keep Windows Defender up to date


To update virus definitions and Signatures of Windows Defender we can do it with two different ways. One os from Group Policy and the other is with WSUS.

With Group Policy you have the disadvantage that the Alerting of out of date will be write in the Event Logs. So you need to check in the Event Logs for the specific Event Id to identify Endpoints which maybe Out of Date.

If you decide to use Group Policy you can follow the steps to enable it

  • Login in the Domain Controller
  • Open the Group Policy Management Console
  • Expand the Computer Configuration -- Policies -- Administrative Templates -- Windows Components -- Windows Defender
  • Click the Signature updates and do the following changes
    • Allow definitions updates when running on battery mode to Enable
    • Specify the time to check for definition updates change it base on your requirements. 
    • As you can see the Specify the day of the week to check for definitions updates is Not Configured because the default value is Every Day.

 

  • If you have lot of Endpoints you can create an Organization Unit and include all the Endpoints
  • Then from Group Policy Management Console right click in the specific Organization Unit and click Group Policy Update.
  • You will get the results. Troubleshoot any error that maybe encounter.

 

With WSUS the advantage is that you can have anytime centralize the status of the Windows Defender Updates in the Endpoints.

If you have a WSUS in your environment you can follow the steps to deploy the Windows Defender Update.

  • Open the WSUS
  • Click in Options -- Products and Classifications
  • Go in the bottom . Find the Microsoft Defender Antivirus and check it.

 

  • As a recommendation to Automatic Approve the specific updates in the Options click Automatic Approvals
  • Click New Rule

 

  • Check the When an update is is a specific product. Click in the Product and found the Microsoft Defender Antivirus.
  • In the line Approve the update for all computers  click in all computers and check the Group that you would like to Deploy.
  • Give a name in the Rule
  • Click OK

 

 

How to Monitoring and Alerting in Windows Defender


The more efficient way today to monitoring the Windows Defender is the Microsoft Endpoint Manager from Microsoft 365 or Microsoft Intune.

But today we talk about Monitoring Windows Defender when you don't have any cloud subscription in Microsoft 365.

Then the only way until now to monitoring is the Centralize the Event Logs in a third part Log Management Solution or SIEM that maybe has already in your environment.

In case that you don't have any of the above solution you can use the Graylog as Log Management Solution for your environment or at least to Monitoring Windows Defender.

You can learn how can setup and configure Graylog from my article How to collect Applocker Logs from all Endpoints in one place 

What you can do?

  • First of all let's find out where the Logs stored from Windows Defender
  • Open the Event Viewer and expand the Microsoft -- Windows -- Windows Defender.
  • Click in Operational and you can find out all the logs
  • Also in the Graylog you can add any Event Logs just to write the Log Name as you can see here or in your Event Logs

 

 

  • Install the Graylog Agent as describe in the paragraph How to install Graylog Sidecar agent from the Article How to collect Applocker Logs from all Endpoints in one place that i mentioned above.
  • Open Graylog
  • Go in System --- Sidecar

 

  • Find out the sidecar that you already have create and click Edit


 

  • Go in the Configuration and add the -name: Microsoft-Windows-Windows Defender/Operational in the last line
  • Click Update 

 

That's it!! Any Endpoint that has install the Graylog Agent and apply the sidecar as describe in the article How to collect Applocker Logs from all Endpoints in one place then will start to send all the Event Logs of Windows Defender.

For more details of how can analyze the logs or create alerts you can read the Graylog Documentation at https://docs.graylog.org/en/4.0/index.html

As you can see with little effort we can create a Monitoring solution for the Windows Defender.

Have a nice weekend !!