Microsoft Defender, Find User Ignored Threats With Splunk
EventID 1117 gives us our detection, categorization and severity of the threat found and EventID 5007 gives us a log of user changes made, including ignored threats.
EventID 5007 logs changes enacted by users to how threats are handled with a field called "New_value", it will look something like this:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\2147742972 = 0x6
It is a registry value, the string of numbers at the end is the same ID assigned recorded in EventID 1117, the "0x6" at the end signifies that this is an ignored threat.
A little bit of regex retrieves our 5007 newly created "ThreatID" field and we can then compare this to our 1117 ID value to see if they match. We achieve this without recourse to joins.
Here's the SPL:
| rex field=New_value "(?P<ThreatID>[^\\\]+)\s\="
| fields ID ThreatID EventCode Computername User Action Category Name
| eval matchfield=coalesce(ID,ThreatID)
| stats values(*) as * by matchfield
| where ID = ThreatID