Detectionlowstable

Windows Defender Submit Sample Feature Disabled

Detects disabling of the "Automatic Sample Submission" feature of Windows Defender.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Tue Dec 0691903aba-1088-42ee-b680-d6d94fe002b0windows
Log Source
Windowswindefend
ProductWindows← raw: windows
Servicewindefend← raw: windefend
Detection Logic
Detection Logic1 selector
detection:
    selection:
        EventID: 5007 # The antimalware platform configuration changed.
        NewValue|contains: '\Real-Time Protection\SubmitSamplesConsent = 0x0'
    condition: selection
False Positives

Administrator activity (must be investigated)