Channel Reference
Reference for the Windows event log channels used in the 262COS Winlogbeat configuration. For each channel: what it captures, which event IDs are high-value, and common noise IDs to exclude.
To list all available event log channels on a Windows host:
Get-WinEvent -ListLog * | Where-Object { $_.RecordCount -gt 0 } | Select-Object LogName, RecordCount | Sort-Object RecordCount -Descending
Securityβ
Channel: Security
Purpose: Authentication, authorization, account management, object access, and privilege use. The single most important event log for detection.
262COS config: ignore_older: 168h, event_id: -4703
High-Value Event IDsβ
| EventID | Description | Detection Value |
|---|---|---|
| 4624 | Successful logon | Logon type analysis (3=network, 10=remote interactive) |
| 4625 | Failed logon | Brute-force, password spray detection |
| 4627 | Group membership info | Enriches 4624 with group context |
| 4648 | Logon with explicit credentials | runas, pass-the-hash, lateral movement indicator |
| 4662 | Operation on AD object | AD enumeration/modification |
| 4672 | Special privilege logon | Admin/SYSTEM-level account activity |
| 4688 | Process creation (if audited) | Requires audit policy; less detail than Sysmon EID 1 |
| 4697 | Service installed | Persistence via service installation |
| 4698 | Scheduled task created | Persistence indicator |
| 4699 | Scheduled task deleted | Defense evasion |
| 4700 | Scheduled task enabled | Persistence indicator |
| 4702 | Scheduled task modified | Persistence indicator |
| 4720 | User account created | Account creation/persistence |
| 4722 | User account enabled | Account manipulation |
| 4724 | Password reset attempt | Credential manipulation |
| 4725 | User account disabled | Account manipulation |
| 4726 | User account deleted | Possible cleanup/anti-forensics |
| 4728 | User added to global security group | Privilege escalation |
| 4732 | User added to local security group | Local admin group modification |
| 4740 | User account locked out | Brute-force indicator |
| 4756 | User added to universal security group | Privilege escalation |
| 4768 | Kerberos TGT requested | Initial Kerberos authentication |
| 4769 | Kerberos service ticket requested | Lateral movement; watch for RC4 encryption (etype 23) |
| 4771 | Kerberos pre-auth failed | Kerberos brute-force / AS-REP roasting |
| 4776 | NTLM credential validation | NTLM authentication (pass-the-hash indicator) |
| 4798 | User local group membership enumerated | AD/account enumeration |
| 4799 | Security-enabled local group enumerated | AD/account enumeration |
| 5140 | Network share accessed | Lateral movement, data access |
| 5145 | Network share object access check | File-level share access monitoring |
| 7045 | New service installed | Also in System log; persistence indicator |
Excluded IDsβ
| EventID | Reason for Exclusion |
|---|---|
| -4703 | Token right adjustment β extremely noisy on domain-joined hosts, minimal detection value |
Systemβ
Channel: System
Purpose: Windows OS events including service starts/stops, driver loads, hardware errors, and system state changes.
262COS config: ignore_older: 168h (no event ID filtering)
Notable Event IDsβ
| EventID | Description |
|---|---|
| 7034 | Service crashed unexpectedly |
| 7035 | Service sent a start/stop control |
| 7036 | Service entered running/stopped state |
| 7040 | Service start type changed |
| 7045 | New service installed (also in Security) |
| 6005 | Event log service started (system boot) |
| 6006 | Event log service stopped (clean shutdown) |
| 6008 | Previous system shutdown was unexpected (crash/power loss) |
Applicationβ
Channel: Application
Purpose: Application-level events from installed software. Useful for identifying crashes, errors, and abnormal application behavior.
262COS config: ignore_older: 168h (no filtering)
High-volume applications (e.g., SQL Server, IIS, .NET runtime) can generate significant Application log noise. If volume is excessive, add a provider filter to limit collection to specific sources relevant to the investigation.
Microsoft-Windows-Sysmon/Operationalβ
Channel: Microsoft-Windows-Sysmon/Operational
Purpose: Detailed process, network, file, registry, and other host activity events from the Sysmon driver. The primary detection data source for host analysis.
262COS config: ignore_older: 168h + JavaScript enrichment processor
See AID-001 - Sysmon Config Tuning for event type reference and tuning guidance.
Microsoft-Windows-PowerShell/Operationalβ
Channel: Microsoft-Windows-PowerShell/Operational
Purpose: PowerShell execution logging β script block content, module loads, and pipeline execution. Critical for detecting PS-based attacks and LOLBin abuse.
262COS config: ignore_older: 168h, event_id: -8193,-8194,-8195,-8196,-8197,-12039
High-Value Event IDsβ
| EventID | Description |
|---|---|
| 4103 | Module logging β records pipeline execution output |
| 4104 | Script block logging β records full PS script content (most valuable) |
| 4105 | Script block started |
| 4106 | Script block stopped |
Excluded IDsβ
| EventID | Reason |
|---|---|
| -8193 | Cmdlet invocation start/stop β very noisy, low value |
| -8194 | Alias not resolved β benign noise |
| -8195 | Method invocation |
| -8196 | Pipeline execution detail |
| -8197 | Pipeline execution context |
| -12039 | WinRM operation verbose log β covered by WinRM/Operational channel |
Script block logging (EID 4104) must be enabled via Group Policy or registry to generate events. Without it, this channel only produces execution metadata. Verify it is enabled: HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging β EnableScriptBlockLogging = 1.
Windows PowerShellβ
Channel: "Windows PowerShell"
Purpose: Legacy PowerShell v2 event log. Captures execution activity from older PS versions that bypass modern script block logging.
262COS config: ignore_older: 168h (no filtering)
Attackers may explicitly invoke powershell.exe -version 2 to downgrade to PS v2, bypassing AMSI and modern logging. This legacy channel captures that activity where the Operational channel would not.
Microsoft-Windows-Bits-Client/Operationalβ
Channel: Microsoft-Windows-Bits-Client/Operational
Purpose: Background Intelligent Transfer Service (BITS) activity. BITS is frequently abused for C2 communication and payload delivery.
262COS config: ignore_older: 168h, event_id: 3,4,59,60
Included Event IDsβ
| EventID | Description | Why |
|---|---|---|
| 3 | BITS job created | New transfer job initiated β common malware delivery method |
| 4 | BITS job modified | Job parameters changed |
| 59 | BITS job transfer completed | File successfully downloaded |
| 60 | BITS job error | Failed transfer attempt |
All other BITS events are excluded as operational noise.
Microsoft-Windows-Windows Defender/Operationalβ
Channel: "Microsoft-Windows-Windows Defender/Operational"
Purpose: Windows Defender detections, scan results, and real-time protection events.
262COS config: ignore_older: 168h (no filtering)
Notable Event IDsβ
| EventID | Description |
|---|---|
| 1116 | Malware detected |
| 1117 | Action taken on malware |
| 1118 | Action failed on malware |
| 1119 | Critical action on malware succeeded |
| 1120 | Critical action on malware failed |
| 5001 | Real-time protection disabled |
| 5007 | Configuration changed |
| 5010 | Scanning for malware disabled |
Microsoft-Windows-WinRM/Operationalβ
Channel: Microsoft-Windows-WinRM/Operational
Purpose: Windows Remote Management connection and session events. Key for tracking lateral movement via WinRM/PowerShell remoting.
262COS config: ignore_older: 168h, event_id: -254,-145,-132,-10
High-Value Event IDsβ
| EventID | Description |
|---|---|
| 6 | WSMan session created |
| 8 | WSMan shell create attempted |
| 15 | WSMan session closed |
| 16 | WSMan shell closed |
| 91 | WSMan session created (alt) |
| 168 | Authentication attempt |
Excluded IDsβ
| EventID | Reason |
|---|---|
| -10 | WSMan request received β fires constantly for every WinRM heartbeat/poll, extremely noisy |
| -132 | WSMan operation verbose β internal operation log |
| -145 | WSMan operation verbose β internal operation log |
| -254 | WSMan shell created internal trace β covered by higher-level events |
Microsoft-Windows-TaskScheduler/Operationalβ
Channel: Microsoft-Windows-TaskScheduler/Operational
Purpose: Scheduled task creation, modification, execution, and deletion. A top persistence and execution mechanism.
262COS config: ignore_older: 168h (no filtering)
Notable Event IDsβ
| EventID | Description |
|---|---|
| 106 | Task registered (created) |
| 140 | Task updated |
| 141 | Task deleted |
| 200 | Task action launched |
| 201 | Task action completed |
Microsoft-Windows-WMI-Activity/Operationalβ
Channel: Microsoft-Windows-WMI-Activity/Operational
Purpose: WMI query execution and event subscription activity. WMI is a common persistence, lateral movement, and execution mechanism.
262COS config: ignore_older: 168h, event_id: -5857,-5858
High-Value Event IDsβ
| EventID | Description |
|---|---|
| 5861 | WMI subscription created (persistence indicator) |
Excluded IDsβ
| EventID | Reason |
|---|---|
| -5857 | WMI activity provider start β fires on service startup, benign |
| -5858 | WMI query error from COM β benign errors from system processes querying WMI |
Remote Desktop / Terminal Services Channelsβ
Three channels cover RDP activity from different angles:
| Channel | Purpose |
|---|---|
Microsoft-Windows-TerminalServices-LocalSessionManager/Operational | Local RDP session creation, reconnection, and logoff |
Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational | Inbound RDP connection attempts and authentication |
Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational | Low-level RDP connection and disconnection events |
262COS config: All three at ignore_older: 168h, no event ID filtering.
Notable Event IDs (LocalSessionManager)β
| EventID | Description |
|---|---|
| 21 | Session logon succeeded |
| 22 | Shell start notification |
| 23 | Session logoff |
| 24 | Session disconnected |
| 25 | Session reconnected |
| 40 | Session disconnected β includes reason code |
ForwardedEventsβ
Channel: ForwardedEvents
Purpose: Collects events forwarded from remote hosts via Windows Event Forwarding (WEF). Relevant in environments where a central Windows collector aggregates events from multiple hosts before they reach Winlogbeat.
262COS config: ignore_older: 168h, tags: [forwarded]
The forwarded tag prevents add_host_metadata from overwriting the originating host's identity with the collector's metadata.
- name: ForwardedEvents
ignore_older: 168h
tags: [forwarded]
processors:
- script:
when.equals.winlog.channel: Security
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
- script:
when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
lang: javascript
id: sysmon
file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
The conditional processors apply the appropriate enrichment module based on which channel the forwarded event originated from.