Techniques
Sample rules
Windows Defender Real-time Protection Disabled
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects disabling of Windows Defender Real-time Protection. As this event doesn’t contain a lot of information on who initiated this action you might want to reduce it to a “medium” level if this occurs too many times in your environment
Detection logic
condition: selection
selection:
EventID: 5001