Defender/Operational.evtx

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx

While the flat-text MPLog files are useful for deep-dive AV analysis, the Defender Operational log is the primary structured, machine-parseable record of antivirus activity on the system. Threat detections, remediation actions and - critically - any tampering with real-time protection are all packaged here as clean XML events.

Log Channel Microsoft-Windows-Windows Defender/Operational - written by the Windows Defender antimalware service (WinDefend)

Trace Type Malware Detection AV Tampering Remediation

Req. Audit Policy No Active by default wherever Windows Defender is installed and enabled. No additional configuration required.

User Specific No System-wide. Defender monitors all processes and file paths regardless of user context.

General

The Defender Operational log records the complete lifecycle of a malware detection: the initial scan trigger, the threat identification (by full threat name and SHA-1 hash), the action taken and the final remediation outcome. Unlike the raw MPLog files which are text-based and verbose, each event here maps to a specific Event ID with well-defined XML fields, making it highly amenable to automated parsing and correlation. Crucially, the log also records any attempt to disable or modify Windows Defender itself - an action that attackers routinely script to prevent detection before deploying payloads.

Traces

The most forensically significant Event IDs in the Defender Operational log are:

Event ID	Description
1006	Scan completed. Records the scan type (quick, full, custom), the number of items scanned and any threats found. Useful for verifying that scheduled scans ran as expected.
1116	Malware detected. Contains the full threat name (e.g. `Trojan:Win32/CobaltStrike.A`), the affected file path, SHA-1 hash, detection source and the user context at time of detection.
1117	Malware action taken. Documents the remediation outcome: Quarantined, Removed, Cleaned, Allowed or Failed. A "Removed" action confirms the file was deleted from the system.
1118	Malware action failed. Indicates that Defender detected a threat but was unable to remediate it - typically seen when the malicious file is locked by a running process.
5001	Real-time protection disabled. A high-priority indicator of AV tampering. Attackers frequently disable real-time protection programmatically before deploying malware.
5007	Defender configuration changed. Records any modification to Defender settings including exclusion additions - a common attacker technique to whitelist malicious directories.

Forensic Value

Identify malware by name and hash: Event ID 1116 provides the full threat classification and SHA-1 hash. Cross-reference this with the Defender (SysLogs) for raw engine telemetry.
Detect pre-attack AV disabling: A 5001 event immediately preceding malicious activity is a reliable signal that an attacker scripted the disabling of Defender.
Uncover exclusion-based evasion: Event ID 5007 recording a new exclusion path exposes a common evasion technique where attackers whitelist staging directories.
Establish detection timelines: The timestamp in Event 1116 proves malware was active on the system at a specific moment, even after cleanup.
Correlate failed remediation: Event ID 1118 indicates a running process is locking a file, pointing to active malicious processes that require immediate memory analysis.

For more Info check out these Articles: Defender (SysLogs)