![](https://i1.wp.com/splunkonbigdata.com/wp-content/uploads/2021/12/image-158.png?resize=696%2C371&ssl=1)
Hi Guys !!
Today we will show you how to bring logs from Windows Defender to splunk.
The process is very simple, for this we will use one add-on named “TA for Microsoft Windows Defender”.
So, let’s start.
Step 1:
First, we will download the add-on from Splunk Base. The link is given below.
![](https://i0.wp.com/splunkonbigdata.com/wp-content/uploads/2021/12/image-128.png?resize=696%2C372&ssl=1)
Explanation:
Once you will click on the Download option you will get a popup to accept the License Agreement. Once you will accept them your add-on will be downloaded.
Step 2:
Now, once it is downloaded, we will make some changes in it.
As it gets downloaded in zipped format, first we will unzip it. Then we have opened the add-on to check the inputs.conf under the default directory of the add-on.
It is mentioned below,
![](https://i1.wp.com/splunkonbigdata.com/wp-content/uploads/2021/12/image-129.png?resize=696%2C103&ssl=1)
Explanation:
As you can see the inputs is disabled here by mentioning “disabled = true”.
Also, you can see the index name is “windefender”.
Now, you have to do two things.
- Create a local directory inside the add-on and create an inputs.conf file in that with same stanzas of inputs.conf file of default directory but with “disabled = false”, as you can see in the below image.
![](https://i1.wp.com/splunkonbigdata.com/wp-content/uploads/2021/12/image-130.png?resize=696%2C92&ssl=1)
- Then create the index named “windefender” in the indexes under settings in Splunk [We have already created the index.]
Step 3:
Now, we will install the add-on.
You need to install this add-on to that windows machine from where you want to gather the logs of Windows Defender.
We can install the add-on from the backend (Using File Explorer) and also from Splunk Web.
A) Installing from backend(Using File Explorer)
i) Move the add-on ( without ZIP ) in the following path after completing the above steps.
$SPLUNK_HOME/etc/apps
ii) Then restart the Splunk using the following command,
$SPLUNK_HOME/bin/splunk restart
After restarting, login to your Splunk instance, and search for index=windefender, you will get the logs of Windows defender.
![](https://i1.wp.com/splunkonbigdata.com/wp-content/uploads/2021/12/image-134.png?resize=696%2C342&ssl=1)
Now, see the below process to install the add-on from Splunk Web:
B) Installing from Splunk Web.
i) To install from Splunk web, first login to your splunk instance and click on the option marked red in the below image.
![](https://i1.wp.com/splunkonbigdata.com/wp-content/uploads/2021/12/image-131.png?resize=696%2C334&ssl=1)
ii) Now, click on “Install app from file”.
![](https://i1.wp.com/splunkonbigdata.com/wp-content/uploads/2021/12/image-132.png?resize=696%2C317&ssl=1)
iii) Now, upload the zipped add-on which you have downloaded from Splunk base ( without making any changes ) (Not the unzipped one).
![](https://i1.wp.com/splunkonbigdata.com/wp-content/uploads/2021/12/image-133.png?resize=696%2C341&ssl=1)
iv) Now follow step 2, for editing the installed add-on. You can find the add-on installed inside the
$SPLUNK_HOME/etc/apps directory
Step 4:
Now, search for index=windefender, and enjoy the logs of Windows Defender.
![](https://i1.wp.com/splunkonbigdata.com/wp-content/uploads/2021/12/image-134.png?resize=696%2C342&ssl=1)
Hope you have enjoyed this blog, we will come back with new topics of Splunk. Until then goodbye and stay safe and strong.
Happy Splunking !!