drop windows defender operational evtx csv and security evtx csv · detect tamper protection bypass attempts · identify unauthorized defender configuration changes · surface methods used to modify defender despite tamper protection · runs locally
evtx csv
drop defender / security / system evtx csv (multi-file)
or click
5013 tamper blocks · 5007 config changes · safe mode / WMI / ELAM bypass · blocked-then-succeeded pattern
drop defender operational / security / system evtx csv exports