Doesn’t MS Defender log to eventlog when stomething was found or some action taken?
Microsoft-Windows-Windows Defender/Operational
So in theory you could just add these events (see Windows Integration | Elastic integrations)
| Event ID | Meaning | Use case |
|---|---|---|
| 1116 | Malware detected | Primary detection signal |
| 1117 | Action taken (cleaned/quarantined) | Response tracking |
| 1118 | Action failed | Important for detection gaps |
| 1119 | Critical error during remediation | High priority |
| 1120 | Malware not removed | Persistence risk |
| 1006 / 1007 | Scan started/completed | Context |
| 5007 | Configuration changed | Tampering detection |
And create a detection rule for whatever you want a detection on? (not 100 % sure the sample submission you are talkiong about logs a dedicated event)
Best regards,
Willem