Rob - can you post your OSSEC version of the log? Â I can check my rules. Â These are a culmination of gleaned rules that I updated some time back with new event IDs. Â Yours is covered in there.... Â but I would like to test it against a valid OSSEC log. Â So if you can post it from the OSSEC logs, that'd be great.
Here they are..
 <rule id="720010" level="12">
  <if_sid>720001</if_sid>
  <id>^1118$|^1119$</id>
  <group>virus,</group>
  <description>Microsoft Security Essentials - Virus detected, but unable to remove.</description>
 </rule>
 <rule id="720011" level="7">
  <if_sid>720001</if_sid>
  <id>^1117$</id>
  <group>virus,</group>
  <description>Microsoft Security Essentials - Virus detected and properly removed.</description>
 </rule>
 <rule id="720012" level="7">
  <if_sid>720001</if_sid>
  <id>^1119$|^1118$|^1117$|^1116$</id>
  <group>virus,</group>
  <description>Microsoft Security Essentials - Virus detected.</description>
 </rule>
 <rule id="720013" level="7">
  <if_sid>720001</if_sid>
  <id>^1015$</id>
  <group>virus,</group>
  <description>Microsoft Security Essentials - Suspicious activity detected.</description>
 </rule>
  <!-- Service conditions and errors -->
 <rule id="720020" level="3">
  <if_sid>720001</if_sid>
  <id>^5007$</id>
  <description>Microsoft Security Essentials - Configuration changed.</description>
  <group>policy_changed,</group>
 </rule>
 <rule id="720021" level="9">
  <if_sid>720001</if_sid>
  <id>^5008$</id>
  <description>Microsoft Security Essentials - Service failed.</description>
 </rule>
 <rule id="720022" level="9">
  <if_sid>720001</if_sid>
  <id>^3002$</id>
  <description>Microsoft Security Essentials - Real time protection failed.</description>
 </rule>
 <rule id="720023" level="8">
  <if_sid>720001</if_sid>
  <id>^2012$</id>
  <description>Microsoft Security Essentials - Cannot use Dynamic Signature Service.</description>
 </rule>
 <rule id="720024" level="8">
  <if_sid>720001</if_sid>
  <id>^2004$</id>
  <description>Microsoft Security Essentials - Loading definitions failed. Using last good set.</description>
 </rule>
 <rule id="720025" level="8">
  <if_sid>720001</if_sid>
  <id>^2003$</id>
  <description>Microsoft Security Essentials - Engine update failed.</description>
 </rule>
 <rule id="720026" level="8">
  <if_sid>720001</if_sid>
  <id>^2001$</id>
  <description>Microsoft Security Essentials - Definitions update failed.</description>
 </rule>
 <rule id="720027" level="7">
  <if_sid>720001</if_sid>
  <id>^1005$</id>
  <description>Microsoft Security Essentials - Scan error. Scan has stopped.</description>
 </rule>
 <rule id="720028" level="5">
  <if_sid>720001</if_sid>
  <id>^1002$</id>
  <description>Microsoft Security Essentials - Scan stopped before completion.</description>
 </rule>
 <!-- EICAR test file special case -->
 <rule id="720041" level="5">
  <if_sid>720012</if_sid>
  <match>Virus:DOS/EICAR_Test_File</match>
  <options>alert_by_email</options>
  <description>Microsoft Security Essentials - EICAR test file detected.</description>
 </rule>
 <rule id="720042" level="3">
  <if_sid>720011</if_sid>
  <match>Virus:DOS/EICAR_Test_File</match>
  <options>alert_by_email</options>
  <description>Microsoft Security Essentials - EICAR test file removed.</description>
 </rule>
 <rule id="720043" level="8">
  <if_sid>720010</if_sid>
  <match>Virus:DOS/EICAR_Test_File</match>
  <options>alert_by_email</options>
  <description>Microsoft Security Essentials - EICAR test file detected, but removal failed.</description>
 </rule>
 <!-- Status messages -->
 <rule id="720050" level="3">
  <if_sid>720001</if_sid>
  <id>^2000$</id>
  <description>Microsoft Security Essentials - Signature database updated.</description>
 </rule>
 <rule id="720051" level="3">
  <if_sid>720001</if_sid>
  <id>^2002$</id>
  <description>Microsoft Security Essentials - Scan engine updated.</description>
 </rule>
 <rule id="720053" level="3">
  <if_sid>720001</if_sid>
  <id>^1000$|^1001$</id>
  <description>Microsoft Security Essentials - Scan started or stopped.</description>
 </rule>
 <rule id="720054" level="4">
  <if_sid>720001</if_sid>
  <id>^1013$</id>
  <description>Microsoft Security Essentials - History cleared.</description>
 </rule>
 <!-- Time based alerts -->
 <rule id="720070" level="10" frequency="4" timeframe="240">
  <if_matched_sid>720011</if_matched_sid>
  <description>Multiple Microsoft Security Essentials AV warnings detected.</description>
 </rule>
 <rule id="720071" level="10" frequency="4" timeframe="240">
  <if_matched_sid>720012</if_matched_sid>
  <description>Multiple Microsoft Security Essentials AV warnings detected.</description>
 </rule>