I'm adding the following Windows Defender events as they can be valuable for SOC use cases or Threat hunting:
ID 1120: when properly activated in the registry, Windows Defender will provide a hash of the threat
ID 5001: if protection Defender Real time protection was disabled on the host, this event will be triggered
ID 5000: if protection Defender Real time protection was enabled on the host, this event will be triggered. It may be interesting to collect it in order to check how long was the protection disabled (or even to limit the amount of false positive).
ID 5004: is triggered when some components of Windows Defender are disabled with the following commands (Set-MpPreference -DisableBehaviorMonitoring $true OR Set-MpPreference -DisableIOAVProtection $true)
I'm adding the following Windows Defender events as they can be valuable for SOC use cases or Threat hunting: ID 1120: when properly activated in the registry, Windows Defender will provide a hash of the threat ID 5001: if protection Defender Real time protection was disabled on the host, this event will be triggered ID 5000: if protection Defender Real time protection was enabled on the host, this event will be triggered. It may be interesting to collect it in order to check how long was the protection disabled (or even to limit the amount of false positive). ID 5004: is triggered when some components of Windows Defender are disabled with the following commands (Set-MpPreference -DisableBehaviorMonitoring $true OR Set-MpPreference -DisableIOAVProtection $true)
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus