Skip to main content

Channel Reference


Reference for the Windows event log channels used in the 262COS Winlogbeat configuration. For each channel: what it captures, which event IDs are high-value, and common noise IDs to exclude.

Discovering Available Channels

To list all available event log channels on a Windows host:

Get-WinEvent -ListLog * | Where-Object { $_.RecordCount -gt 0 } | Select-Object LogName, RecordCount | Sort-Object RecordCount -Descending

Security​

Channel: Security Purpose: Authentication, authorization, account management, object access, and privilege use. The single most important event log for detection.

262COS config: ignore_older: 168h, event_id: -4703

High-Value Event IDs​

EventIDDescriptionDetection Value
4624Successful logonLogon type analysis (3=network, 10=remote interactive)
4625Failed logonBrute-force, password spray detection
4627Group membership infoEnriches 4624 with group context
4648Logon with explicit credentialsrunas, pass-the-hash, lateral movement indicator
4662Operation on AD objectAD enumeration/modification
4672Special privilege logonAdmin/SYSTEM-level account activity
4688Process creation (if audited)Requires audit policy; less detail than Sysmon EID 1
4697Service installedPersistence via service installation
4698Scheduled task createdPersistence indicator
4699Scheduled task deletedDefense evasion
4700Scheduled task enabledPersistence indicator
4702Scheduled task modifiedPersistence indicator
4720User account createdAccount creation/persistence
4722User account enabledAccount manipulation
4724Password reset attemptCredential manipulation
4725User account disabledAccount manipulation
4726User account deletedPossible cleanup/anti-forensics
4728User added to global security groupPrivilege escalation
4732User added to local security groupLocal admin group modification
4740User account locked outBrute-force indicator
4756User added to universal security groupPrivilege escalation
4768Kerberos TGT requestedInitial Kerberos authentication
4769Kerberos service ticket requestedLateral movement; watch for RC4 encryption (etype 23)
4771Kerberos pre-auth failedKerberos brute-force / AS-REP roasting
4776NTLM credential validationNTLM authentication (pass-the-hash indicator)
4798User local group membership enumeratedAD/account enumeration
4799Security-enabled local group enumeratedAD/account enumeration
5140Network share accessedLateral movement, data access
5145Network share object access checkFile-level share access monitoring
7045New service installedAlso in System log; persistence indicator

Excluded IDs​

EventIDReason for Exclusion
-4703Token right adjustment β€” extremely noisy on domain-joined hosts, minimal detection value

System​

Channel: System Purpose: Windows OS events including service starts/stops, driver loads, hardware errors, and system state changes.

262COS config: ignore_older: 168h (no event ID filtering)

Notable Event IDs​

EventIDDescription
7034Service crashed unexpectedly
7035Service sent a start/stop control
7036Service entered running/stopped state
7040Service start type changed
7045New service installed (also in Security)
6005Event log service started (system boot)
6006Event log service stopped (clean shutdown)
6008Previous system shutdown was unexpected (crash/power loss)

Application​

Channel: Application Purpose: Application-level events from installed software. Useful for identifying crashes, errors, and abnormal application behavior.

262COS config: ignore_older: 168h (no filtering)

Reducing Application Noise

High-volume applications (e.g., SQL Server, IIS, .NET runtime) can generate significant Application log noise. If volume is excessive, add a provider filter to limit collection to specific sources relevant to the investigation.


Microsoft-Windows-Sysmon/Operational​

Channel: Microsoft-Windows-Sysmon/Operational Purpose: Detailed process, network, file, registry, and other host activity events from the Sysmon driver. The primary detection data source for host analysis.

262COS config: ignore_older: 168h + JavaScript enrichment processor

See AID-001 - Sysmon Config Tuning for event type reference and tuning guidance.


Microsoft-Windows-PowerShell/Operational​

Channel: Microsoft-Windows-PowerShell/Operational Purpose: PowerShell execution logging β€” script block content, module loads, and pipeline execution. Critical for detecting PS-based attacks and LOLBin abuse.

262COS config: ignore_older: 168h, event_id: -8193,-8194,-8195,-8196,-8197,-12039

High-Value Event IDs​

EventIDDescription
4103Module logging β€” records pipeline execution output
4104Script block logging β€” records full PS script content (most valuable)
4105Script block started
4106Script block stopped

Excluded IDs​

EventIDReason
-8193Cmdlet invocation start/stop β€” very noisy, low value
-8194Alias not resolved β€” benign noise
-8195Method invocation
-8196Pipeline execution detail
-8197Pipeline execution context
-12039WinRM operation verbose log β€” covered by WinRM/Operational channel
Enable Script Block Logging

Script block logging (EID 4104) must be enabled via Group Policy or registry to generate events. Without it, this channel only produces execution metadata. Verify it is enabled: HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging β†’ EnableScriptBlockLogging = 1.


Windows PowerShell​

Channel: "Windows PowerShell" Purpose: Legacy PowerShell v2 event log. Captures execution activity from older PS versions that bypass modern script block logging.

262COS config: ignore_older: 168h (no filtering)

PS v2 Downgrade Attacks

Attackers may explicitly invoke powershell.exe -version 2 to downgrade to PS v2, bypassing AMSI and modern logging. This legacy channel captures that activity where the Operational channel would not.


Microsoft-Windows-Bits-Client/Operational​

Channel: Microsoft-Windows-Bits-Client/Operational Purpose: Background Intelligent Transfer Service (BITS) activity. BITS is frequently abused for C2 communication and payload delivery.

262COS config: ignore_older: 168h, event_id: 3,4,59,60

Included Event IDs​

EventIDDescriptionWhy
3BITS job createdNew transfer job initiated β€” common malware delivery method
4BITS job modifiedJob parameters changed
59BITS job transfer completedFile successfully downloaded
60BITS job errorFailed transfer attempt

All other BITS events are excluded as operational noise.


Microsoft-Windows-Windows Defender/Operational​

Channel: "Microsoft-Windows-Windows Defender/Operational" Purpose: Windows Defender detections, scan results, and real-time protection events.

262COS config: ignore_older: 168h (no filtering)

Notable Event IDs​

EventIDDescription
1116Malware detected
1117Action taken on malware
1118Action failed on malware
1119Critical action on malware succeeded
1120Critical action on malware failed
5001Real-time protection disabled
5007Configuration changed
5010Scanning for malware disabled

Microsoft-Windows-WinRM/Operational​

Channel: Microsoft-Windows-WinRM/Operational Purpose: Windows Remote Management connection and session events. Key for tracking lateral movement via WinRM/PowerShell remoting.

262COS config: ignore_older: 168h, event_id: -254,-145,-132,-10

High-Value Event IDs​

EventIDDescription
6WSMan session created
8WSMan shell create attempted
15WSMan session closed
16WSMan shell closed
91WSMan session created (alt)
168Authentication attempt

Excluded IDs​

EventIDReason
-10WSMan request received β€” fires constantly for every WinRM heartbeat/poll, extremely noisy
-132WSMan operation verbose β€” internal operation log
-145WSMan operation verbose β€” internal operation log
-254WSMan shell created internal trace β€” covered by higher-level events

Microsoft-Windows-TaskScheduler/Operational​

Channel: Microsoft-Windows-TaskScheduler/Operational Purpose: Scheduled task creation, modification, execution, and deletion. A top persistence and execution mechanism.

262COS config: ignore_older: 168h (no filtering)

Notable Event IDs​

EventIDDescription
106Task registered (created)
140Task updated
141Task deleted
200Task action launched
201Task action completed

Microsoft-Windows-WMI-Activity/Operational​

Channel: Microsoft-Windows-WMI-Activity/Operational Purpose: WMI query execution and event subscription activity. WMI is a common persistence, lateral movement, and execution mechanism.

262COS config: ignore_older: 168h, event_id: -5857,-5858

High-Value Event IDs​

EventIDDescription
5861WMI subscription created (persistence indicator)

Excluded IDs​

EventIDReason
-5857WMI activity provider start β€” fires on service startup, benign
-5858WMI query error from COM β€” benign errors from system processes querying WMI

Remote Desktop / Terminal Services Channels​

Three channels cover RDP activity from different angles:

ChannelPurpose
Microsoft-Windows-TerminalServices-LocalSessionManager/OperationalLocal RDP session creation, reconnection, and logoff
Microsoft-Windows-TerminalServices-RemoteConnectionManager/OperationalInbound RDP connection attempts and authentication
Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/OperationalLow-level RDP connection and disconnection events

262COS config: All three at ignore_older: 168h, no event ID filtering.

Notable Event IDs (LocalSessionManager)​

EventIDDescription
21Session logon succeeded
22Shell start notification
23Session logoff
24Session disconnected
25Session reconnected
40Session disconnected β€” includes reason code

ForwardedEvents​

Channel: ForwardedEvents Purpose: Collects events forwarded from remote hosts via Windows Event Forwarding (WEF). Relevant in environments where a central Windows collector aggregates events from multiple hosts before they reach Winlogbeat.

262COS config: ignore_older: 168h, tags: [forwarded]

The forwarded tag prevents add_host_metadata from overwriting the originating host's identity with the collector's metadata.

- name: ForwardedEvents
ignore_older: 168h
tags: [forwarded]
processors:
- script:
when.equals.winlog.channel: Security
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
- script:
when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
lang: javascript
id: sysmon
file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js

The conditional processors apply the appropriate enrichment module based on which channel the forwarded event originated from.