Detects Access to LSASS Process
Detects blocking of process creations originating from PSExec and WMI commands
Detects triggering of AMSI by Windows Defender.
Detects suspicious changes to the Windows Defender configuration
Detects the Setting of Windows Defender Exclusions
Detects when someone is adding or removing applications or folders from exploit guard "ProtectedFolders" or "AllowedApplications"
Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled.
Detects disabling of the Windows Defender feature of scanning for malware and other potentially unwanted software
Windows Defender logs when the history of detected infections is deleted.
Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initaited this action you might want to reduce it to a "medium" level if this occurs too many times in your environment
Detects disabling of the "Automatic Sample Submission" feature of Windows Defender.
Detects actions taken by Windows Defender malware detection engines
Detects disabling of the Windows Defender virus scanning feature
Detects the restoration of files from the defender quarantine
Detects issues with Windows Defender Real-Time Protection features
Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring"