Type of log to identify failed Windows Defender update?

Question

Hi everyone,

I am trying to set up Log Analytic Workspace that will capture any critical and security updates in the Windows VMs which I believe will also include the failed Windows Defender update logs.

Now I would like to have an action taken whenever the failed Windows Defender updates are identified.
First thing I need to know is what are the commands and parameters to identify failed Windows defender update in the log via Runbook?

Thank you

Answer 1

Hi Handinata Tanudjaja,

Got it, Thanks for the response. Please find the below answers.

Q1) Maybe from Windows Event?

A) The steps which I have provided by using from Windows Event, As per your Request from Automation you can achieve this by creating Hybrid Runbook Worker

• Create run book and add the provided script .

  Please find the Reference below for script.

  https://learn.microsoft.com/en-us/azure/automation/automation-hybrid-runbook-worker

 

Q2) Will Azure Monitoring Agent be able to get this type of information?

 A) Yes, you can collect the logs. Windows Defender writes logs in the Application log. You can also enable additional logging features for reference. See the details below:

The below script is for reference, Modify as per your Requirement 

Event
| where Source == "Microsoft-Windows-Windows Defender" or Source == "Microsoft-Windows-Windows Defender Antivirus"
| where EventID in (1006, 1010, 2001, 5007)
| project TimeGenerated, EventID, Source, RenderedDescription, Computer
| order by TimeGenerated desc

 Please find the Reference MS doc below.

 https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-windows-events#configure-windows-event-logs

 

let us know if any help, we will always help as you needed.!

Please do not forget to "Accept the answer” and upvote it wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.