| Microsoft-Windows-Windows Defender/Operational | 1000 | Information | Windows Defender service started successfully |
| Microsoft-Windows-Windows Defender/Operational | 1001 | Information | Windows Defender service stopped |
| Microsoft-Windows-Windows Defender/Operational | 1002 | Information | Real-time protection started |
| Microsoft-Windows-Windows Defender/Operational | 1003 | Warning | Real-time protection stopped |
| Microsoft-Windows-Windows Defender/Operational | 1004 | Error | Windows Defender initialization failed |
| Microsoft-Windows-Windows Defender/Operational | 1005 | Information | Engine version updated |
| Microsoft-Windows-Windows Defender/Operational | 1006 | Information | Signature definitions updated successfully |
| Microsoft-Windows-Windows Defender/Operational | 1007 | Warning | Signature definitions update failed |
| Microsoft-Windows-Windows Defender/Operational | 1008 | Warning | Malware found and remediation started |
| Microsoft-Windows-Windows Defender/Operational | 1009 | Information | Malware removed or quarantined successfully |
| Microsoft-Windows-Windows Defender/Operational | 1010 | Information | Scan started (manual or scheduled) |
| Microsoft-Windows-Windows Defender/Operational | 1011 | Information | Scan completed successfully |
| Microsoft-Windows-Windows Defender/Operational | 1012 | Error | Scan failed to complete |
| Microsoft-Windows-Windows Defender/Operational | 1116 | Warning | Malware or potentially unwanted software detected |
| Microsoft-Windows-Windows Defender/Operational | 1117 | Warning | Potentially unwanted application detected |
| Microsoft-Windows-Windows Defender/Operational | 1118 | Information | Malware action successful |
| Microsoft-Windows-Windows Defender/Operational | 1119 | Error | Malware action failed |
| Microsoft-Windows-Windows Defender/Operational | 1120 | Information | File or process excluded from scanning |
| Microsoft-Windows-Windows Defender/Operational | 2000 | Warning | Suspicious behavior detected by real-time protection |
| Microsoft-Windows-Windows Defender/Operational | 2001 | Error | Behavior monitoring service failed |
| Microsoft-Windows-Windows Defender/Operational | 3002 | Warning | Tamper protection blocked unauthorized change |
| Microsoft-Windows-Windows Defender/Operational | 5001 | Error | Critical AV engine error |
| Microsoft-Windows-Windows Defender/Operational | 5004 | Information | Configuration changed |
| Microsoft-Windows-Windows Defender/Operational | 5010 | Error | Service health check failure |
| Microsoft-Windows-Windows Defender/Operational | 5012 | Warning | Signature definitions expired |
| System | 7036 | Information | Windows Defender service entered running or stopped state |
| System | 7000 | Error | Windows Defender service failed to start |
| System | 7024 | Error | Windows Defender service terminated unexpectedly |
| Security | 5007 | Information | Windows Defender settings modified |
| Security | 1118 | Information | Malware protection configuration changed |
| Security | 1119 | Warning | Security intelligence update failed |
| Microsoft-Windows-Windows Defender/Operational | 1006 | Critical | Malware detected |
| Microsoft-Windows-Windows Defender/Operational | 1116 | High | Malware remediation failed |
| Microsoft-Windows-Windows Defender/Operational | 1117 | Medium | Threat removed successfully |
| Microsoft-Windows-Windows Defender/Operational | 2001 | Critical | Real-time protection disabled |
| Microsoft-Windows-Windows Defender/Operational | 5001 | High | Signature update failed |
| Microsoft-Windows-Security-Mitigations | 1 | High | Exploit mitigation blocked a process |