Hi Guys !!
Today we will show you how to bring logs from Windows Defender to splunk.
The process is very simple, for this we will use one add-on named “TA for Microsoft Windows Defender”.
So, let’s start.
First, we will download the add-on from Splunk Base. The link is given below.
Once you will click on the Download option you will get a popup to accept the License Agreement. Once you will accept them your add-on will be downloaded.
Now, once it is downloaded, we will make some changes in it.
As it gets downloaded in zipped format, first we will unzip it. Then we have opened the add-on to check the inputs.conf under the default directory of the add-on.
It is mentioned below,
As you can see the inputs is disabled here by mentioning “disabled = true”.
Also, you can see the index name is “windefender”.
Now, you have to do two things.
- Create a local directory inside the add-on and create an inputs.conf file in that with same stanzas of inputs.conf file of default directory but with “disabled = false”, as you can see in the below image.
- Then create the index named “windefender” in the indexes under settings in Splunk [We have already created the index.]
Now, we will install the add-on.
You need to install this add-on to that windows machine from where you want to gather the logs of Windows Defender.
We can install the add-on from the backend (Using File Explorer) and also from Splunk Web.
A) Installing from backend(Using File Explorer)
i) Move the add-on ( without ZIP ) in the following path after completing the above steps.
ii) Then restart the Splunk using the following command,
After restarting, login to your Splunk instance, and search for index=windefender, you will get the logs of Windows defender.
Now, see the below process to install the add-on from Splunk Web:
B) Installing from Splunk Web.
i) To install from Splunk web, first login to your splunk instance and click on the option marked red in the below image.
ii) Now, click on “Install app from file”.
iii) Now, upload the zipped add-on which you have downloaded from Splunk base ( without making any changes ) (Not the unzipped one).
iv) Now follow step 2, for editing the installed add-on. You can find the add-on installed inside the
Now, search for index=windefender, and enjoy the logs of Windows Defender.
Hope you have enjoyed this blog, we will come back with new topics of Splunk. Until then goodbye and stay safe and strong.
Happy Splunking !!