Supported Log Types
Log types that can be processed and sent to your security platform
Windows Event Log
| Log type | Status | Supported Event IDs | Event channel |
|---|---|---|---|
| Sysmon | Supported | All event IDs are processed. Extended field mapping for 23 event shapes (schemas). | Microsoft-Windows-Sysmon/Operational |
| Windows Security | Supported | All event IDs are processed. Extended field mapping for 105 event shapes (schemas). | Security |
| Windows System | Supported | All event IDs are processed. Extended field mapping for 73 event shapes (schemas). | System |
| Windows Application | Supported | All event IDs are processed. Extended field mapping for 129 event shapes (schemas). | Application |
| Windows Defender | Supported | All event IDs are processed. Extended field mapping for 8 event shapes (schemas). | Channels whose path contains Defender (e.g. Microsoft-Windows-Windows Defender/Operational) |
| PowerShell | Supported | All event IDs are processed. Extended field mapping for 11 event shapes (schemas). | Channels whose path contains PowerShell (e.g. Microsoft-Windows-PowerShell/Operational) |
| Windows BITS | Supported | All event IDs are processed. Extended field mapping for 0 event shapes (schemas). | Microsoft-Windows-Bits-Client/Operational (EVTX may use Microsoft-Windows-Bits-Client-Operational). Key EIDs: 3, 16403, 59, 4. |
| Windows Other | Supported | All event IDs are processed. Extended field mapping for 96 event shapes (schemas). | Any other Windows event channel (classified when no rule above matches) |
See Supported Destinations for where logs can be sent, and How It Works for the processing flow.