..
    generated, remove this comment to keep this file

``defender.mplog``
==================

.. code-block:: console

    $ target-query <path/to/target> -f defender.mplog


.. list-table:: Details
    :widths: 20 80

    * - Module
      - ``dissect.target.plugins.os.windows.defender._plugin.MicrosoftDefenderPlugin``
    * - Output
      - ``records``

**Module documentation**

Plugin that parses artifacts created by Microsoft Defender.

This includes the EVTX logs, as well as recovery of artefacts from the quarantine folder.

**Function documentation**

Return the contents of the Defender MPLog file.

References:
    - https://www.crowdstrike.com/blog/how-to-use-microsoft-protection-logging-for-forensic-investigations/
    - https://www.intrinsec.com/hunt-mplogs/
    - https://github.com/Intrinsec/mplog_parser