Uses macro {$AV_EVENTLOG} for the eventlog, Windows defender uses “Microsoft-Windows-Windows Defender/Operational”. Windows Antimalware uses “System”, but also needs {$AV_SOURCE} set to “Microsoft Antimalware”, default value in the template is an empty string.
Collect selected events for Windows Defender (default config) or with host macro settings will work with Windows Antimalware.
Uses macro {$AV_EVENTLOG} for the event log name, Windows defender uses “Microsoft-Windows-Windows Defender/Operational”.
Windows Antimalware uses “System”, but also needs {$AV_SOURCE} set to “Microsoft Antimalware”. Default value in the template is an empty string.
Template exported from Zabbix 4.0.x but I think the concepts would work with older versions.
Revised: Correct value for {$AV_SOURCE}
| Name | Description | Default | Type |
|---|---|---|---|
| {$AV_EVENTLOG} | <p>-</p> | Microsoft-Windows-Windows Defender/Operational |
Text macro |
| {$AV_SOURCE} | <p>-</p> | `` | Text macro |
There are no template links in this template.
There are no discovery rules in this template.
| Name | Description | Type | Key and additional info | |
|---|---|---|---|---|
| Windows defender malware action critically failed | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1119,,skip]<p>Update: 30s</p> | |
| Windows defender suspicious behavior detected | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1015,,skip]<p>Update: 30s</p> | |
| Windows defender scan cancelled | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1002,,skip]<p>Update: 43s</p> | |
| Windows defender scan completed | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1001,,skip]<p>Update: 43s</p> | |
| Windows defender platform almost out of date | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},2007,,skip]<p>Update: 59s</p> | |
| Windows defender antispyware disabled | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5010,,skip]<p>Update: 53s</p> | |
| Windows antimalware service state | <p>-</p> | Zabbix agent (active) |
service.info[MsMpSvc]<p>Update: 120s</p> | |
| Windows defender history delete | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1013,,skip]<p>Update: 30s</p> | |
| Windows defender malware detected | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1006 | 1116,,skip]<p>Update: 37s</p> |
| Windows defender engine failure | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5008,,skip]<p>Update: 53s</p> | |
| Windows defender service state | <p>-</p> | Zabbix agent (active) |
service.info[WinDefend]<p>Update: 120s</p> | |
| Windows defender scan failed | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1005,,skip]<p>Update: 43s</p> | |
| Windows defender RTP disabled | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5001,,skip]<p>Update: 53s</p> | |
| Windows defender healthy | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1150,,skip]<p>Update: 47s</p> | |
| Windows defender RTP failure | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},3002,,skip]<p>Update: 53s</p> | |
| Windows defender malware action failed | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1008 | 1118,,skip]<p>Update: 30s</p> |
| Windows defender scan started | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1000,,skip]<p>Update: 43s</p> | |
| Windows defender signature update failed | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},2001,,skip]<p>Update: 59s</p> | |
| Windows defender malware action taken | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1007 | 1117,,skip]<p>Update: 41s</p> |
| Windows defender antivirus disabled | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5012,,skip]<p>Update: 53s</p> |
There are no triggers in this template.
Uses macro {$AV_EVENTLOG} for the eventlog, Windows defender uses “Microsoft-Windows-Windows Defender/Operational”. Windows Antimalware uses “System”, but also needs {$AV_SOURCE} set to “Microsoft Antimalware”, default value in the template is an empty string.
Collect selected events for Windows Defender (default config) or with host macro settings will work with Windows Antimalware.
Uses macro {$AV_EVENTLOG} for the event log name, Windows defender uses “Microsoft-Windows-Windows Defender/Operational”.
Windows Antimalware uses “System”, but also needs {$AV_SOURCE} set to “Microsoft Antimalware”. Default value in the template is an empty string.
Template exported from Zabbix 4.0.x but I think the concepts would work with older versions.
Revised: Correct value for {$AV_SOURCE}
| Name | Description | Default | Type |
|---|---|---|---|
| {$AV_EVENTLOG} | <p>-</p> | Microsoft-Windows-Windows Defender/Operational |
Text macro |
| {$AV_SOURCE} | <p>-</p> | `` | Text macro |
There are no template links in this template.
There are no discovery rules in this template.
| Name | Description | Type | Key and additional info | |
|---|---|---|---|---|
| Windows defender suspicious behavior detected | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1015,,skip]<p>Update: 30s</p> | |
| Windows defender malware action failed | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1008 | 1118,,skip]<p>Update: 30s</p> |
| Windows defender antivirus disabled | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5012,,skip]<p>Update: 53s</p> | |
| Windows defender malware action taken | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1007 | 1117,,skip]<p>Update: 41s</p> |
| Windows defender healthy | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1150,,skip]<p>Update: 47s</p> | |
| Windows defender engine failure | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5008,,skip]<p>Update: 53s</p> | |
| Windows defender RTP failure | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},3002,,skip]<p>Update: 53s</p> | |
| Windows defender scan failed | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1005,,skip]<p>Update: 43s</p> | |
| Windows defender signature update failed | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},2001,,skip]<p>Update: 59s</p> | |
| Windows defender service state | <p>-</p> | Zabbix agent (active) |
service.info[WinDefend]<p>Update: 120s</p> | |
| Windows defender malware action critically failed | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1119,,skip]<p>Update: 30s</p> | |
| Windows defender RTP disabled | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5001,,skip]<p>Update: 53s</p> | |
| Windows defender malware detected | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1006 | 1116,,skip]<p>Update: 37s</p> |
| Windows defender scan completed | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1001,,skip]<p>Update: 43s</p> | |
| Windows defender platform almost out of date | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},2007,,skip]<p>Update: 59s</p> | |
| Windows defender scan started | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1000,,skip]<p>Update: 43s</p> | |
| Windows defender history delete | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1013,,skip]<p>Update: 30s</p> | |
| Windows defender scan cancelled | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1002,,skip]<p>Update: 43s</p> | |
| Windows defender antispyware disabled | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5010,,skip]<p>Update: 53s</p> | |
| Windows antimalware service state | <p>-</p> | Zabbix agent (active) |
service.info[MsMpSvc]<p>Update: 120s</p> |
There are no triggers in this template.
Uses macro {$AV_EVENTLOG} for the eventlog, Windows defender uses “Microsoft-Windows-Windows Defender/Operational”. Windows Antimalware uses “System”, but also needs {$AV_SOURCE} set to “Microsoft Antimalware”, default value in the template is an empty string.
Collect selected events for Windows Defender (default config) or with host macro settings will work with Windows Antimalware.
Uses macro {$AV_EVENTLOG} for the event log name, Windows defender uses “Microsoft-Windows-Windows Defender/Operational”.
Windows Antimalware uses “System”, but also needs {$AV_SOURCE} set to “Microsoft Antimalware”. Default value in the template is an empty string.
Template exported from Zabbix 4.0.x but I think the concepts would work with older versions.
Revised: Correct value for {$AV_SOURCE}
| Name | Description | Default | Type |
|---|---|---|---|
| {$AV_EVENTLOG} | <p>-</p> | Microsoft-Windows-Windows Defender/Operational |
Text macro |
| {$AV_SOURCE} | <p>-</p> | `` | Text macro |
There are no template links in this template.
There are no discovery rules in this template.
| Name | Description | Type | Key and additional info | |
|---|---|---|---|---|
| Windows defender suspicious behavior detected | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1015,,skip]<p>Update: 30s</p> | |
| Windows defender malware action failed | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1008 | 1118,,skip]<p>Update: 30s</p> |
| Windows defender antivirus disabled | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5012,,skip]<p>Update: 53s</p> | |
| Windows defender malware action taken | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1007 | 1117,,skip]<p>Update: 41s</p> |
| Windows defender healthy | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1150,,skip]<p>Update: 47s</p> | |
| Windows defender engine failure | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5008,,skip]<p>Update: 53s</p> | |
| Windows defender RTP failure | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},3002,,skip]<p>Update: 53s</p> | |
| Windows defender scan failed | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1005,,skip]<p>Update: 43s</p> | |
| Windows defender signature update failed | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},2001,,skip]<p>Update: 59s</p> | |
| Windows defender service state | <p>-</p> | Zabbix agent (active) |
service.info[WinDefend]<p>Update: 120s</p> | |
| Windows defender malware action critically failed | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1119,,skip]<p>Update: 30s</p> | |
| Windows defender RTP disabled | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5001,,skip]<p>Update: 53s</p> | |
| Windows defender malware detected | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1006 | 1116,,skip]<p>Update: 37s</p> |
| Windows defender scan completed | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1001,,skip]<p>Update: 43s</p> | |
| Windows defender platform almost out of date | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},2007,,skip]<p>Update: 59s</p> | |
| Windows defender scan started | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1000,,skip]<p>Update: 43s</p> | |
| Windows defender history delete | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1013,,skip]<p>Update: 30s</p> | |
| Windows defender scan cancelled | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},1002,,skip]<p>Update: 43s</p> | |
| Windows defender antispyware disabled | <p>-</p> | Zabbix agent (active) |
eventlog[{$AV_EVENTLOG},,,{$AV_SOURCE},5010,,skip]<p>Update: 53s</p> | |
| Windows antimalware service state | <p>-</p> | Zabbix agent (active) |
service.info[MsMpSvc]<p>Update: 120s</p> |
There are no triggers in this template.