Hej, thank you very much. 
Thanks to you I could finally figure out how to get Option 1 working. In the end, this yaml config did the trick:
global:
# section may be fully disabled
enabled: yes
logwatch:
enabled: yes
sendall: no
vista_api: yes
logfile:
- 'Microsoft-Windows-Windows Defender/Operational': warn nocontext
To enable option global seems to be optional.