Commit 35b8d8f 1 parent 86ed90f commit 35b8d8f Copy full SHA for 35b8d8f
File tree 1 file changed +49
-0
lines changed
1 file changed +49
-0
lines changed Original file line number Diff line number Diff line change 1+ Author: Andrew Rathbun
2+ Description: Defender uploaded a file for further analysis
3+ EventId: 2050
4+ Channel: Microsoft-Windows-Windows Defender/Operational
5+ Provider: Microsoft-Windows-Windows Defender
6+ Maps:
7+ -
8+ Property: PayloadData1
9+ PropertyValue: "SHA256: %Sha256%"
10+ Values:
11+ -
12+ Name: Sha256
13+ Value: "/Event/EventData/Data[@Name=\"Sha256\"]"
14+ -
15+ Property: ExecutableInfo
16+ PropertyValue: "%Filename%"
17+ Values:
18+ -
19+ Name: Filename
20+ Value: "/Event/EventData/Data[@Name=\"Filename\"]"
21+
22+ # Documentation:
23+ # N/A
24+ #
25+ # Example Event Data:
26+ # <Event>
27+ # <System>
28+ # <Provider Name="Microsoft-Windows-Windows Defender" Guid="11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78" />
29+ # <EventID>2050</EventID>
30+ # <Version>0</Version>
31+ # <Level>4</Level>
32+ # <Task>0</Task>
33+ # <Opcode>0</Opcode>
34+ # <Keywords>0x8000000000000000</Keywords>
35+ # <TimeCreated SystemTime="2022-02-19 01:13:39.3131234" />
36+ # <EventRecordID>56774</EventRecordID>
37+ # <Correlation ActivityID="eeabc537-e19e-4238-bb37-dd1dc23486cb" />
38+ # <Execution ProcessID="3454" ThreadID="11252" />
39+ # <Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
40+ # <Computer>hostname.DOMAIN</Computer>
41+ # <Security UserID="S-1-5-18" />
42+ # </System>
43+ # <EventData>
44+ # <Data Name="Product Name">Microsoft Defender Antivirus</Data>
45+ # <Data Name="Product Version">4.18.2303.8</Data>
46+ # <Data Name="Filename">C:\evil.exe</Data>
47+ # <Data Name="Sha256">abcd38c2b76aaebd3cf08eb47eaa721abce297799e9410195fc7abcce123456</Data>
48+ # </EventData>
49+ # </Event>
You can’t perform that action at this time.
0 commit comments