zabbix_export: version: '5.4' date: '2021-11-21T21:55:20Z' groups: - uuid: 0923176aa5ff49a499df1e5cd2419929 name: UM_DOIT_Metrics/Templates templates: - uuid: 10b1db72883045eca5cec956954093de template: 'Metrics Windows Defender' name: 'Metrics Windows Defender' description: | ## Description Uses macro {$AV_EVENTLOG} for the eventlog, Windows defender uses "Microsoft-Windows-Windows Defender/Operational". Windows Antimalware uses "System", but also needs {$AV_SOURCE} set to "Microsoft Antimalware", default value in the template is an empty string. ## Overview Collect selected events for Windows Defender (default config) or with host macro settings will work with Windows Antimalware. Uses macro {$AV\_EVENTLOG} for the event log name, Windows defender uses "Microsoft-Windows-Windows Defender/Operational". Windows Antimalware uses "System", but also needs {$AV\_SOURCE} set to "Microsoft Antimalware". Default value in the template is an empty string. Template exported from Zabbix 4.0.x but I think the concepts would work with older versions. Revised: Correct value for {$AV\_SOURCE} groups: - name: UM_DOIT_Metrics/Templates items: - uuid: e264049e36b74ebd915a0837d7297e4c name: 'Windows defender scan started' type: ZABBIX_ACTIVE key: 'eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1000,,skip]' delay: 43s trends: '0' value_type: LOG tags: - tag: Application value: 'Platform Antimalware' - uuid: 09d843b0788e4fd5b5f630dfc1219126 name: 'Windows defender scan completed' type: ZABBIX_ACTIVE key: 'eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1001,,skip]' delay: 43s trends: '0' value_type: LOG tags: - tag: Application value: 'Platform Antimalware' - uuid: 3d29e2d2b4c6410fabe415ae5e09cc5f name: 'Windows defender scan cancelled' type: ZABBIX_ACTIVE key: 'eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1002,,skip]' delay: 43s trends: '0' value_type: LOG tags: - tag: Application value: 'Platform Antimalware' triggers: - uuid: e52d0fb927874f02a6b400faa071be64 expression: 'nodata(/Metrics Windows Defender/eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1002,,skip],24h)=0' name: 'Windows Defender scan cancelled by user' priority: AVERAGE manual_close: 'YES' - uuid: 4b9ee55152e04b4393e5b96a08fd07d5 name: 'Windows defender scan failed' type: ZABBIX_ACTIVE key: 'eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1005,,skip]' delay: 43s trends: '0' value_type: LOG tags: - tag: Application value: 'Platform Antimalware' triggers: - uuid: 1d324c1d17504d83962664a9288125b6 expression: 'nodata(/Metrics Windows Defender/eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1005,,skip],24h)=0' name: 'Windows Antimalware scan failed' tags: - tag: ISAM value: SCEP - uuid: bb761211696448f480f78b8a51e3dc03 name: 'Windows defender malware detected' type: ZABBIX_ACTIVE key: 'eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1006|1116,,skip]' delay: 37s trends: '0' value_type: LOG tags: - tag: Application value: 'Platform Antimalware' triggers: - uuid: 64bf5e2030724ae98b1676fbc55b2853 expression: 'nodata(/Metrics Windows Defender/eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1006|1116,,skip],24h)=0' name: 'Windows Defender malware detected' priority: WARNING manual_close: 'YES' tags: - tag: ISAM value: SCEP - uuid: f682b6596b5b4576ad442311e87956b6 name: 'Windows defender malware action taken' type: ZABBIX_ACTIVE key: 'eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1007|1117,,skip]' delay: 41s trends: '0' value_type: LOG tags: - tag: Application value: 'Platform Antimalware' triggers: - uuid: 4dc75caee2ae4170bba6740cfc500f6d expression: 'nodata(/Metrics Windows Defender/eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1007|1117,,skip],24h)=0' name: 'Windows Defender malware action taken' priority: INFO manual_close: 'YES' tags: - tag: ISAM value: SCEP - uuid: b0c0c96656a74d4f983c240d15a0f3b8 name: 'Windows defender malware action failed' type: ZABBIX_ACTIVE key: 'eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1008|1118,,skip]' delay: 30s trends: '0' value_type: LOG tags: - tag: Application value: 'Platform Antimalware' triggers: - uuid: 3f965095f7974054aa186e070f64f560 expression: 'nodata(/Metrics Windows Defender/eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1008|1118,,skip],24h)=0' name: 'Windows Defender malware action failed' priority: AVERAGE manual_close: 'YES' tags: - tag: ISAM value: SCEP - uuid: 33ef2c52e7ad4dff94530ccd01f376cf name: 'Windows defender history delete' type: ZABBIX_ACTIVE key: 'eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1013,,skip]' delay: 30s trends: '0' value_type: LOG tags: - tag: Application value: 'Platform Antimalware' triggers: - uuid: b151f5142c284e6385720a664e409159 expression: 'nodata(/Metrics Windows Defender/eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1013,,skip],24h)=0' name: 'Windows Antimalware history deleted' tags: - tag: ISAM value: SCEP - uuid: 07228c1e9a0d46e5be5d854daae469fc name: 'Windows defender suspicious behavior detected' type: ZABBIX_ACTIVE key: 'eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1015,,skip]' delay: 30s trends: '0' value_type: LOG tags: - tag: Application value: 'Platform Antimalware' triggers: - uuid: c55662d25fe34640856441df9d2ba543 expression: 'nodata(/Metrics Windows Defender/eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1015,,skip],24h)=0' name: 'Windows Defender suspicious behaviour detected' priority: AVERAGE manual_close: 'YES' - uuid: 8ba32bc72d664006977224cd432e18e8 name: 'Windows defender malware action critically failed' type: ZABBIX_ACTIVE key: 'eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1119,,skip]' delay: 30s trends: '0' value_type: LOG tags: - tag: Application value: 'Platform Antimalware' triggers: - uuid: b27bc35aa36e401f905dfa8523a87dde expression: 'nodata(/Metrics Windows Defender/eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1119,,skip],24h)=0' name: 'Windows Defender malware action critically failed' priority: AVERAGE manual_close: 'YES' - uuid: 98d291badcd141e6982f8b83e3b5c811 name: 'Windows defender healthy' type: ZABBIX_ACTIVE key: 'eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1150,,skip]' delay: 47s trends: '0' value_type: LOG tags: - tag: Application value: 'Platform Antimalware' - uuid: 3243b7a7499a44649d09487b694eedf2 name: 'Windows defender signature update failed' type: ZABBIX_ACTIVE key: 'eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},2001,,skip]' delay: 59s trends: '0' value_type: LOG tags: - tag: Application value: 'Platform Antimalware' - uuid: d0ae24cad6814605aa63de35780adeec name: 'Windows defender platform almost out of date' type: ZABBIX_ACTIVE key: 'eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},2007,,skip]' delay: 59s trends: '0' value_type: LOG tags: - tag: Application value: 'Platform Antimalware' triggers: - uuid: 76e48abc9b1344cda09bb9873341c422 expression: 'nodata(/Metrics Windows Defender/eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},2007,,skip],24h)=0' name: 'Windows Defender platform almost out of date' priority: AVERAGE manual_close: 'YES' - uuid: bffee835756a47288d530de611c134e1 name: 'Windows defender RTP failure' type: ZABBIX_ACTIVE key: 'eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},3002,,skip]' delay: 53s trends: '0' value_type: LOG tags: - tag: Application value: 'Platform Antimalware' triggers: - uuid: 49302710d42e40eba2054f9ad8313f49 expression: 'nodata(/Metrics Windows Defender/eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},3002,,skip],24h)=0' name: 'Windows Defender RTP failure' priority: AVERAGE manual_close: 'YES' dependencies: - name: 'Windows Defender engine failure' expression: 'nodata(/Metrics Windows Defender/eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5008,,skip],24h)=0' - uuid: ec98708a555e4255ac2dcefab45c3c61 name: 'Windows defender RTP disabled' type: ZABBIX_ACTIVE key: 'eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5001,,skip]' delay: 53s trends: '0' value_type: LOG tags: - tag: Application value: 'Platform Antimalware' triggers: - uuid: 6d25efa74db64415842d3822711bc0b9 expression: 'nodata(/Metrics Windows Defender/eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5001,,skip],24h)=0' name: 'Windows Antimalware RTP disabled' manual_close: 'YES' tags: - tag: ISAM value: SCEP - uuid: fb206c78b6274f598a3f581fdb08706c name: 'Windows defender engine failure' type: ZABBIX_ACTIVE key: 'eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5008,,skip]' delay: 53s trends: '0' value_type: LOG tags: - tag: Application value: 'Platform Antimalware' triggers: - uuid: 25858e0efca645a2afe8bef5aba96116 expression: 'nodata(/Metrics Windows Defender/eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5008,,skip],24h)=0' name: 'Windows Defender engine failure' priority: AVERAGE manual_close: 'YES' - uuid: 6c1241e8bf4b42cca2cd09f84e407604 name: 'Windows defender antispyware disabled' type: ZABBIX_ACTIVE key: 'eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5010,,skip]' delay: 53s trends: '0' value_type: LOG tags: - tag: Application value: 'Platform Antimalware' - uuid: d74c3e9b9ff24048b32351005961c32e name: 'Windows defender antivirus disabled' type: ZABBIX_ACTIVE key: 'eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5012,,skip]' delay: 53s trends: '0' value_type: LOG tags: - tag: Application value: 'Platform Antimalware' triggers: - uuid: 86067424fa64463b9fa964599bc73d37 expression: 'nodata(/Metrics Windows Defender/eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5012,,skip],24h)=0' name: 'Windows Antimalware antispyware disabled' tags: - tag: ISAM value: SCEP - uuid: 98c73b06ab4d4947b54d2309dae1ce9a expression: 'nodata(/Metrics Windows Defender/eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5012,,skip],24h)=0' name: 'Windows Antimalware antivirus disabled' tags: - tag: ISAM value: SCEP - uuid: 7e7182b27dba4575acdcdb6d4a091757 name: 'Windows antimalware service state' type: ZABBIX_ACTIVE key: 'service.info[MsMpSvc]' delay: 120s valuemap: name: 'Windows service state' tags: - tag: Application value: 'Platform Antimalware' - uuid: d142eac2a49544a8bf31eb8d6052a445 name: 'Windows defender service state' type: ZABBIX_ACTIVE key: 'service.info[WinDefend]' delay: 120s valuemap: name: 'Windows service state' tags: - tag: Application value: 'Platform Antimalware' macros: - macro: '{$AV_EVENTLOG}' value: 'Microsoft-Windows-Windows Defender/Operational' - macro: '{$AV_SOURCE}' valuemaps: - uuid: d9c578be0e8b4bfb819bd6e45a32a1b1 name: 'Windows service state' mappings: - value: '0' newvalue: Running - value: '1' newvalue: Paused - value: '2' newvalue: 'Start pending' - value: '3' newvalue: 'Pause pending' - value: '4' newvalue: 'Continue pending' - value: '5' newvalue: 'Stop pending' - value: '6' newvalue: Stopped - value: '7' newvalue: Unknown - value: '255' newvalue: 'No such service' triggers: - uuid: 70d56f694b764bd9a2c5b02c345a1b48 expression: 'last(/Metrics Windows Defender/service.info[MsMpSvc])<>0 and last(/Metrics Windows Defender/service.info[WinDefend])<>0' name: 'No malware scan service running' priority: AVERAGE manual_close: 'YES' - uuid: db787e0a1b6c43849f289c11e6df81e9 expression: 'last(/Metrics Windows Defender/service.info[MsMpSvc])=0 and nodata(/Metrics Windows Defender/eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1150,,skip],8h)=1' name: 'Windows Antimalware set macro $AV_EVENTLOG = System' manual_close: 'YES'