5.02021-11-21T21:55:18ZUM_DOIT_Metrics/TemplatesMetrics Windows DefenderMetrics Windows Defender## Description
Uses macro {$AV_EVENTLOG} for the eventlog, Windows defender uses "Microsoft-Windows-Windows Defender/Operational". Windows Antimalware uses "System", but also needs {$AV_SOURCE} set to "Microsoft Antimalware", default value in the template is an empty string.
## Overview
Collect selected events for Windows Defender (default config) or with host macro settings will work with Windows Antimalware.
Uses macro {$AV\_EVENTLOG} for the event log name, Windows defender uses "Microsoft-Windows-Windows Defender/Operational".
Windows Antimalware uses "System", but also needs {$AV\_SOURCE} set to "Microsoft Antimalware". Default value in the template is an empty string.
Template exported from Zabbix 4.0.x but I think the concepts would work with older versions.
Revised: Correct value for {$AV\_SOURCE}
UM_DOIT_Metrics/TemplatesPlatform Antimalware- Windows defender scan startedZABBIX_ACTIVEeventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1000,,skip]43s0LOGPlatform Antimalware
- Windows defender scan completedZABBIX_ACTIVEeventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1001,,skip]43s0LOGPlatform Antimalware
- Windows defender scan cancelledZABBIX_ACTIVEeventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1002,,skip]43s0LOGPlatform Antimalware{nodata(24h)}=0Windows Defender scan cancelled by userAVERAGEYES
- Windows defender scan failedZABBIX_ACTIVEeventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1005,,skip]43s0LOGPlatform Antimalware{nodata(24h)}=0Windows Antimalware scan failedISAMSCEP
- Windows defender malware detectedZABBIX_ACTIVEeventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1006|1116,,skip]37s0LOGPlatform Antimalware{nodata(24h)}=0Windows Defender malware detectedWARNINGYESISAMSCEP
- Windows defender malware action takenZABBIX_ACTIVEeventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1007|1117,,skip]41s0LOGPlatform Antimalware{nodata(24h)}=0Windows Defender malware action takenINFOYESISAMSCEP
- Windows defender malware action failedZABBIX_ACTIVEeventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1008|1118,,skip]30s0LOGPlatform Antimalware{nodata(24h)}=0Windows Defender malware action failedAVERAGEYESISAMSCEP
- Windows defender history deleteZABBIX_ACTIVEeventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1013,,skip]30s0LOGPlatform Antimalware{nodata(24h)}=0Windows Antimalware history deletedISAMSCEP
- Windows defender suspicious behavior detectedZABBIX_ACTIVEeventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1015,,skip]30s0LOGPlatform Antimalware{nodata(24h)}=0Windows Defender suspicious behaviour detectedAVERAGEYES
- Windows defender malware action critically failedZABBIX_ACTIVEeventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1119,,skip]30s0LOGPlatform Antimalware{nodata(24h)}=0Windows Defender malware action critically failedAVERAGEYES
- Windows defender healthyZABBIX_ACTIVEeventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1150,,skip]47s0LOGPlatform Antimalware
- Windows defender signature update failedZABBIX_ACTIVEeventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},2001,,skip]59s0LOGPlatform Antimalware
- Windows defender platform almost out of dateZABBIX_ACTIVEeventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},2007,,skip]59s0LOGPlatform Antimalware{nodata(24h)}=0Windows Defender platform almost out of dateAVERAGEYES
- Windows defender RTP failureZABBIX_ACTIVEeventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},3002,,skip]53s0LOGPlatform Antimalware{nodata(24h)}=0Windows Defender RTP failureAVERAGEYESWindows Defender engine failure{Metrics Windows Defender:eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5008,,skip].nodata(24h)}=0
- Windows defender RTP disabledZABBIX_ACTIVEeventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5001,,skip]53s0LOGPlatform Antimalware{nodata(24h)}=0Windows Antimalware RTP disabledYESISAMSCEP
- Windows defender engine failureZABBIX_ACTIVEeventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5008,,skip]53s0LOGPlatform Antimalware{nodata(24h)}=0Windows Defender engine failureAVERAGEYES
- Windows defender antispyware disabledZABBIX_ACTIVEeventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5010,,skip]53s0LOGPlatform Antimalware
- Windows defender antivirus disabledZABBIX_ACTIVEeventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5012,,skip]53s0LOGPlatform Antimalware{nodata(24h)}=0Windows Antimalware antispyware disabledISAMSCEP{nodata(24h)}=0Windows Antimalware antivirus disabledISAMSCEP
- Windows antimalware service stateZABBIX_ACTIVEservice.info[MsMpSvc]120sPlatform AntimalwareWindows service state
- Windows defender service stateZABBIX_ACTIVEservice.info[WinDefend]120sPlatform AntimalwareWindows service state
{$AV_EVENTLOG}Microsoft-Windows-Windows Defender/Operational{$AV_SOURCE}{Metrics Windows Defender:service.info[MsMpSvc].last()}<>0 and {Metrics Windows Defender:service.info[WinDefend].last()}<>0No malware scan service runningAVERAGEYES{Metrics Windows Defender:service.info[MsMpSvc].last()}=0 and {Metrics Windows Defender:eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1150,,skip].nodata(8h)}=1Windows Antimalware set macro $AV_EVENTLOG = SystemYESWindows service state0Running1Paused2Start pending3Pause pending4Continue pending5Stop pending6Stopped7Unknown255No such service