LoFP / some crashes can occur sometimes and the event doesn't provide enough information to tune out these cases. manual exception is required

Techniques

• t1562
• t1562.001

Sample rules

Windows Defender Real-Time Protection Failure/Restart

• source: sigma
• technicques:
  • t1562
  • t1562.001

Description

Detects issues with Windows Defender Real-Time Protection features

Detection logic

condition: selection and not 1 of filter_optional_*
filter_optional_network_inspection:
  Feature_Name: '%%886'
  Reason:
  - '%%892'
  - '%%858'
selection:
  EventID:
  - 3002
  - 3007