Reviewing Microsoft Defender Antivirus event logs for malicious activity

I

Into_Oblivion1

Member

Local time

10:05 PM

Posts

60

OS

Windows 11

• Dec 13, 2024

• #1

Dear all

When reviewing event logs for Microsoft Defender Antivirus, and wanting to find out, if something malicious was stopped, quarantined, removed etc.

What else should I consider looking for besides (I know some of them are mentioned more than once):

Detection:
1006
1015
1116
1117
1118
1119 (fail)
1127

Quarantine:
1007
1008
1117
1118
1119

Removal:
1007
1008
1011
1117
1118
1119

Thank you

 

Windows Build/Version

Windows 11

My Computer

System One

• OS

  Windows 11

  Computer type

  Laptop

FreeBooter

Well-known member

Pro User

VIP

Local time

12:05 AM

Posts

3,923

OS

Windows 11

• Dec 13, 2024

• #2

Why don't you have a look at the Protection History at Security Center?

 

My Computer

System One

• OS

  Windows 11

  Computer type

  PC/Desktop

  Manufacturer/Model

  HP Pavilion

  CPU

  AMD Ryzen 7 5700G

  Motherboard

  Erica6

  Memory

  Micron Technology DDR4-3200 16GB

  Graphics Card(s)

  NVIDIA GeForce RTX 3060

  Sound Card

  Realtek ALC671

  Monitor(s) Displays

  Samsung SyncMaster U28E590

  Screen Resolution

  3840 x 2160

  Hard Drives

  SAMSUNG MZVLQ1T0HALB-000H1

I

Into_Oblivion1

Member

Thread Starter

Local time

10:05 PM

Posts

60

OS

Windows 11

• Jan 17, 2025

• #3

FreeBooter said:

Why don't you have a look at the Protection History at Security Center?

Click to expand...

Because event logs for Microsoft Defender Antivirus tells / shows more information?

 

My Computer

System One

• OS

  Windows 11

  Computer type

  Laptop

FreeBooter

Well-known member

Pro User

VIP

Local time

12:05 AM

Posts

3,923

OS

Windows 11

• Jan 17, 2025

• #4

Into_Oblivion1 said:

Because event logs for Microsoft Defender Antivirus tells / shows more information?

Click to expand...

Good luck figuring out the logs from Microsoft Defender Antivirus.

 

My Computer

System One

• OS

  Windows 11

  Computer type

  PC/Desktop

  Manufacturer/Model

  HP Pavilion

  CPU

  AMD Ryzen 7 5700G

  Motherboard

  Erica6

  Memory

  Micron Technology DDR4-3200 16GB

  Graphics Card(s)

  NVIDIA GeForce RTX 3060

  Sound Card

  Realtek ALC671

  Monitor(s) Displays

  Samsung SyncMaster U28E590

  Screen Resolution

  3840 x 2160

  Hard Drives

  SAMSUNG MZVLQ1T0HALB-000H1

neemobeer

Well-known member

Power User

VIP

Local time

2:05 PM

Posts

527

OS

Windows 11

• Jan 20, 2025

• #5

You can also just call either

Powershell:

Get-MpThreat
# - or -
Get-MpThreatDetection

 

My Computer

System One

• OS

  Windows 11

neemobeer

Well-known member

Power User

VIP

Local time

2:05 PM

Posts

527

OS

Windows 11

• Jan 20, 2025

• #6

There is also 1123 - Remediation completed successfully
5010 - File scanned and determined to be infected

 

My Computer

System One

• OS

  Windows 11

I

Into_Oblivion1

Member

Thread Starter

Local time

10:05 PM

Posts

60

OS

Windows 11

• Jan 23, 2025

• #7

FreeBooter said:

Good luck figuring out the logs from Microsoft Defender Antivirus.

Click to expand...

1. Open Event Viewer.
2. In the console tree, expand Applications and Services Logs > Microsoft > Windows > Windows Defender.
3. Double-click on Operational.

All the codes are explained here:

Microsoft Defender Antivirus event IDs and error codes - Microsoft Defender for Endpoint

Look up the causes and solutions for Microsoft Defender Antivirus event IDs and errors.

learn.microsoft.com

I assume, that the Security Center, only gives a brief overview of the most important things, and the event log and error codes (above), gives more information?

 

My Computer

System One

• OS

  Windows 11

  Computer type

  Laptop