Email Alerts from Windows Defender

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

today we're sending alerts from windows defender [Music] hey there this is tom with tom's tech show and um we got a good one for you today but before that i have a new channel that i've set up i i want to do some more things that are a little bit more serious like you want to talk about certain blue-like things that are going around or certain politic things that are going that are happening and uh i didn't think that this channel this channel is monetized and want to keep it safe and keep it from getting hit with anything you know just so i can continue to produce computer content and maybe a little bit of you know entertainment content uh yeah we have the orville coming up less than a hundred days i i've been watching going over making videos and watching some of the old it's hard to think the old orville episodes and just how incredibly good they are and how insightful they are and how foretelling they are of some of you know the current events that are going on today so just some amazing stuff there so um but some of the other more harsh things some more things that are you know probably going to generate maybe a little heavier conversation that's over now at tom's talk show i'll put a link down below um so go over there like share and subscribe and help me out or if what you find over there is appalling and horrible then just lambast me and tell me i'm wrong and and i'm whatever historism you want that's fine i i really don't care but anyway so today what we're doing on this channel today is we're setting up windows defender to send alerts now if you're going uh windows defender is a fair you know antivirus malware system that you can set up on a computer and be able to run it and it's provided by microsoft and it's free of charge there's no oh you need to upgrade oh you got to do this oh quick you're not protected you know messages that come from it it's just straight on you know protection so couple that with some smart browsing not open any attachments things like that and that will keep you pretty safe uh using your computer but say you've got uh an office you've got 20 computers 10 computers and you want to know when something happens somebody clicks a link it's triggered from defender and you want to know you know maybe they're you know they're in the office and you're not in the office or they're working from home and you need to know this information so how do we do that is pretty straightforward so let's go here to the script this is a script that i put together taken from a bunch of other scripts and some of my own email code and stuff that i've put together so first thing we want to do up here on the top is uh if i can make this a little bit bigger and i know zoom in okay there we go so first we want to do is what event ids do we want to have emailed to us 1000 is just a generic one that will you can use that one for testing because that's just i've started a malware scan and i use that for testing because otherwise that would be going off all of the time but to make sure that it's working and you're getting your email i leave that one in so 1006 1015 and 11 16. now where do i get these numbers okay there is a microsoft page here that shows reviewing event logs and error codes to troubleshoot issues with microsoft defender antivirus this is over on microsoft site and i'll put a link to this in the description but if we come down here we start seeing these things event id 1000 is malware protection scan started we come down to uh say 1005 protection scan failed you might want to know that uh 1006 malware detected so that's definitely one we want to go on and find so there's many other things you can put as many or as few as you want but that's gonna determine how many rules you put in an event and we'll get to that in a little bit okay so we do once we have that we can do get win event so this is a script that is going to be triggered once we hit an event something happens and boom we run this event run this alert so we get the win event we're only going to get one event we're going to filter that by the event id from this list so it's going to go through the alerts get the very first one that matches one of our events in our list and then we're going to kind of break that down we're going to get the message we're going to get the id the machine name and the alert provider name so we really are concerned heavily with this message so we want to make sure that's in there then we just do a general email here of an email from email to the alert which is alert from machine name which will be good so that you know which computer is out there that is getting the uh malware or whatever on it the body is going to be event id source machine name and message so that's that string and then we just do our general email system mail net message mail message so that we can set that up and and run it going through gmail is what i'm doing um we use the 587 port ssl enabled true and then we set our do our credentials and then we send the message so basically we we know there's an event we get all the information and we email that information out now to get that information we need to create a an event in our task scheduler so this is set up by trigger so we just created generic event set it up with triggers and one of these triggers would be on event on an event from the log file that we're looking for is microsoft windows desk windows defender slash operational and the source underneath that is windows defender and then we put the event id this is 1006. so we'll have to make one of these for each uh event type so we get one thousand one thousand one thousand six and the other uh one one one six and all that are all in here so whenever any of those alerts hit then boom i get it'll send out my action now under actions we come here and we put uh start a program so what we want to do is start a program that program is you know c slash windows slash system32 slash windows powershell version 1 powershell exe and then the argument that we want to put on the end of that is the file dash file because we'll run a script which i have mine in a folder called scripts right off of the c drive you can put it anywhere you want and run this file so i have it called defender alert powershell 1 ps1 now when all this runs and something happens and you know it goes and sends an alert it sends me an email message so makes it very quick and easy and here's one of these messages simply states event source is microsoft windows defender machine name is studio one message is microsoft defender antivirus scan started has a scan id what type of scan it is and who's running it the system is running it so if this were malware it would say message malware detected so and then you can go and check and make sure that a full scan is run and make sure that the malware has been quarantined and then you know find out where it came from and either change behavior or of the user like they opened an attachment or something in an email or um find out if it's coming in through your uh your your firewall somebody went to a bad web page or or however that got in and try and train your users say well let's make sure we don't go there make sure we don't do that again or make sure we let the other person on the other end know that maybe if it was a bad email coming from somewhere like a vendor or something make sure that they know out on the other end you know that they they have sent and propagated you know malware so just find out where it came from to try and shut that down okay so that's kind of it that makes it pretty easy just to go through set it all up uh once you get this on the system you know then it should run pretty maintenance free until you get it get it there if you are using google uh to send the email and you have two factor you'll have to create an application password or um the email to be sent and to log into google which is fine so that when we uh you know if ever that were compromised then you can just turn off that password because these will be in the script on the computer so if you do get malware go change you know set it to the app password up if you get any malware go and change that password and then go update your computer's app passwords okay so that should get you there that should enable you to get alerts from all your computers that uh have windows defender on them and then you can kind of manage that all in one place instead of asking anybody anybody get any malware who got this message you know kind of thing it helps to get that all in one place all right there you go pretty plain and simple you have any questions or anything about it of course my code that i write is always is up in my bitbucket account which is linked below and i will link that microsoft event id page for windows defender so you can go through those and pick out which events you want to trigger on and once you get all that set up then make sure to put that in the event id list inside the script for what events you're going to trigger off of all right well thanks for watching and be sure to like share and subscribe my channel and help me grow so that i can continue to make these videos to continue to help you and take suggestions from people and do all that back and forth fun stuff so it's been very enjoyable so thanks for watching take care [Music]

Info

Channel: Tom's Tech Show!

Views: 22

Rating: undefined out of 5

Keywords:

Id: 04gDKYKd-RI

Channel Id: undefined

Length: 10min 40sec (640 seconds)

Published: Mon Dec 06 2021