I'm trying to log an event in the Windows Event Viewer under the Microsoft-Windows-Windows Defender/Operational log. However, I'm hitting a wall with PowerShell insisting that I use the -Payload parameter. No matter what I put in there, it seems like I'm not getting it right. Here's the command I've been using: New-WinEvent -ProviderName "Microsoft-Windows-Windows Defender" -Id 1116 -Payload @("xx","yy"). But I keep getting this warning: 'The provided payload does not match the template defined for event ID "1116."' I reviewed the defined template, and it lists several parameters that need to be filled out. I'm really confused about what's going wrong and if it's even possible to create custom events for Defender alerts. Does anyone have insight on this?
2 Answers
You can actually create custom events, but it’s generally simpler to start by setting a new source. Here’s how I do it: First, create a new source for the log with `New-EventLog -LogName "Microsoft-Windows-Windows Defender/Operational" -Source "MyEventSource"`. After that, use `Write-EventLog -LogName "Microsoft-Windows-Windows Defender/Operational" -Source "MyEventSource" -EventID 123 -EntryType Information -Message "My test event" -RawData 10,20`. The `-RawData` argument is a bit of a mystery nowadays, but this method has worked for me when logging into specific logs. It helps clarify which events are custom and which are system-generated.
From what I understand in the Microsoft documentation for New-WinEvent, the parameters you send in the Payload must match the event ID template exactly. The warning you get usually means you're not providing all the required parameters as specified.
I tried to fill out all the parameters, but PowerShell keeps limiting me, saying I can’t use more than 8 string parameters. If I try numbers, it says I’m limited to 32 integer parameters. It gets messy fast!