Reviewing Microsoft Defender Antivirus event logs for malicious activity

Into_Oblivion1 · Dec 13, 2024

Dear all

When reviewing event logs for Microsoft Defender Antivirus, and wanting to find out, if something malicious was stopped, quarantined, removed etc.

What else should I consider looking for besides (I know some of them are mentioned more than once):

Detection:
1006
1015
1116
1117
1118
1119 (fail)
1127

Quarantine:
1007
1008
1117
1118
1119

Removal:
1007
1008
1011
1117
1118
1119

Thank you

FreeBooter · Dec 13, 2024

Why don't you have a look at the Protection History at Security Center?

Into_Oblivion1 · Jan 17, 2025

FreeBooter said:
Why don't you have a look at the Protection History at Security Center?

Because event logs for Microsoft Defender Antivirus tells / shows more information?

FreeBooter · Jan 17, 2025

Into_Oblivion1 said:
Because event logs for Microsoft Defender Antivirus tells / shows more information?

Good luck figuring out the logs from Microsoft Defender Antivirus.

neemobeer · Jan 20, 2025

You can also just call either

Powershell:

Get-MpThreat
# - or -
Get-MpThreatDetection

neemobeer · Jan 20, 2025

There is also 1123 - Remediation completed successfully
5010 - File scanned and determined to be infected

Into_Oblivion1 · Jan 23, 2025

FreeBooter said:
Good luck figuring out the logs from Microsoft Defender Antivirus.

Open Event Viewer.
In the console tree, expand Applications and Services Logs > Microsoft > Windows > Windows Defender.
Double-click on Operational.

All the codes are explained here:

Microsoft Defender Antivirus event IDs and error codes - Microsoft Defender for Endpoint

Look up the causes and solutions for Microsoft Defender Antivirus event IDs and errors.

learn.microsoft.com

I assume, that the Security Center, only gives a brief overview of the most important things, and the event log and error codes (above), gives more information?

Into_Oblivion1 · Apr 7, 2025

Open Event Viewer.
In the console tree, expand Applications and Services Logs > Microsoft > Windows > Windows Defender.
Double-click on Operational.

All the codes are explained here:
Microsoft Defender Antivirus event IDs and error codes - Microsoft Defender for Endpoint
Look up the causes and solutions for Microsoft Defender Antivirus event IDs and errors.

I assume, that the Security Center, only gives a brief overview of the most important things, and the event log and error codes (above), gives more information?
Can anyone confirm or expand on this?

Thank you

Into_Oblivion1 · May 30, 2025

I assume, that the Security Center, only gives a brief overview of the most important things, and the event log and error codes (above), gives more information?

Can anyone confirm or expand on this?

Into_Oblivion1 · Sep 11, 2025

"Protection history" has always been empty on my system.

How long can you see Protection history?
Does it empty itself after some time? - some sources says 15-30 days before auto-clear

Reviewing Microsoft Defender Antivirus event logs for malicious activity

Active member

My Computer My Computer

At a glance

Well-known member

My Computer My Computer

At a glance

Active member

My Computer My Computer

At a glance

Well-known member

My Computer My Computer

At a glance

Well-known member

My Computer My Computer

At a glance

Well-known member

My Computer My Computer

At a glance

Active member

My Computer My Computer

At a glance

Active member

My Computer My Computer

At a glance

Active member

My Computer My Computer

At a glance

Active member

My Computer My Computer

At a glance

My Computer

My Computer

My Computer

My Computer

My Computer

My Computer

My Computer

My Computer

My Computer

My Computer