Event ID and meaning scraper & Windows Defender Events IDS list and meanings

Author: iUseYahoo

events/Windows Defender/ids.json

@@ -0,0 +1,60 @@
+{
+ "1000": "Malwareprotection scan started",
+ "1001": "Malwareprotection scan completed",
+ "1002": "Malwareprotection scan cancelled",
+ "1003": "Malwareprotection scan paused",
+ "1004": "Malwareprotection scan resumed",
+ "1005": "Malwareprotection scan failed",
+ "1006": "Malwareprotection malware detected",
+ "1007": "Malwareprotection malware action taken",
+ "1008": "Malwareprotection malware action failed",
+ "1009": "Malwareprotection quarantine restore",
+ "1010": "Malwareprotection quarantine restore failed",
+ "1011": "Malwareprotection quarantine delete",
+ "1012": "Malwareprotection quarantine delete failed",
+ "1013": "Malwareprotection malware history delete",
+ "1014": "Malwareprotection malware history delete failed",
+ "1015": "Malwareprotection behavior detected",
+ "1116": "Malwareprotection state malware detected",
+ "1117": "Malwareprotection state malware action taken",
+ "1118": "Malwareprotection state malware action failed",
+ "1119": "Malwareprotection state malware action critically failed",
+ "1120": "Malwareprotection threat hash",
+ "1121": "Event when an attack surface reduction rule fires in block mode.",
+ "1127": "Malwareprotection folder guard sector block",
+ "1150": "Malwareprotection service healthy",
+ "1151": "Malwareprotection service health report",
+ "2000": "Malwareprotection signature updated",
+ "2001": "Malwareprotection signature update failed",
+ "2002": "Malwareprotection engine updated",
+ "2003": "Malwareprotection engine update failed",
+ "2004": "Malwareprotection signature reversion",
+ "2005": "Malwareprotection engine update platformoutofdate",
+ "2006": "Malwareprotection platform update failed",
+ "2007": "Malwareprotection platform almostoutofdate",
+ "2010": "Malwareprotection signature fastpath updated",
+ "2011": "Malwareprotection signature fastpath deleted",
+ "2012": "Malwareprotection signature fastpath update failed",
+ "2013": "Malwareprotection signature fastpath deleted all",
+ "2020": "Malwareprotection cloud clean restore file downloaded",
+ "2021": "Malwareprotection cloud clean restore file download failed",
+ "2030": "Malwareprotection offline scan installed",
+ "2031": "Malwareprotection offline scan install failed",
+ "2040": "Malwareprotection os expiring",
+ "2041": "Malwareprotection os eol",
+ "2042": "Malwareprotection protection eol",
+ "3002": "Malwareprotection rtp feature failure",
+ "3007": "Malwareprotection rtp feature recovered",
+ "5000": "Malwareprotection rtp enabled",
+ "5001": "Malwareprotection rtp disabled",
+ "5004": "Malwareprotection rtp feature configured",
+ "5007": "Malwareprotection config changed",
+ "5008": "Malwareprotection engine failure",
+ "5009": "Malwareprotection antispyware enabled",
+ "5010": "Malwareprotection antispyware disabled",
+ "5011": "Malwareprotection antivirus enabled",
+ "5012": "Malwareprotection antivirus disabled",
+ "5013": "Malwareprotection scan cancelled",
+ "5100": "Malwareprotection expiration warning state",
+ "5101": "Malwareprotection disabled expired state"
+}

events/event_ids_scraper.py

@@ -0,0 +1,50 @@
+import requests
+from bs4 import BeautifulSoup
+import json
+
+# Define the URL of the Microsoft documentation page
+url = "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus"
+
+# Send an HTTP GET request to the URL
+response = requests.get(url)
+
+# Check if the request was successful (status code 200)
+if response.status_code == 200:
+ # Parse the HTML content of the page
+ soup = BeautifulSoup(response.text, "html.parser")
+
+ # Find all event ID sections
+ event_id_sections = soup.find_all("h2", {"id": lambda x: x and x.startswith("event-id-")})
+
+ # Initialize a dictionary to store event IDs and their meanings
+ event_id_meanings = {}
+
+ # Iterate through event ID sections and extract meanings
+ for section in event_id_sections:
+ event_id = section.get("id").replace("event-id-", "")
+ content_div = section.find_next("div", class_="content")
+ 
+ # Find the first <p> element in the content
+ meaning_paragraph = content_div.find("p")
+
+ # Extract the text and remove unnecessary prefixes
+ meaning = meaning_paragraph.get_text(strip=True)
+
+ # Remove "Message:" or "Symbolic name:" if present
+ meaning = meaning.replace("Message: ", "").replace("Symbolic name:", "")
+
+ # Replace underscores with spaces and capitalize the first letter
+ meaning = meaning.replace("_", " ").capitalize()
+
+ event_id_meanings[event_id] = meaning
+
+ # Convert the dictionary to JSON
+ result_json = json.dumps(event_id_meanings, indent=4)
+
+ # Save the JSON to a file
+ with open("windows_defender_event_ids.json", "w", encoding="utf-8") as json_file:
+ json_file.write(result_json)
+
+ print("Event IDs and meanings scraped and saved to 'windows_defender_event_ids.json'")
+else:
+ print(f"Failed to retrieve the page. Status code: {response.status_code}")