Windows Security Event Log
The Security channel of Windows Event Log — logon/logoff sessions, process creation, privilege escalation, account management, and audit policy changes from a 120-host Active Directory fleet.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/windows-security/generator.yml \
--id winlog \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| 4688 | Process Creation | ~25% | process |
| 4689 | Process Termination | ~25% | process |
| 4624 | Successful Logon | ~15% | authentication |
| 4634 | Logoff | ~14% | authentication |
| 4672 | Special Privileges Assigned | ~10% | iam |
| 4625 | Failed Logon | ~5% | authentication |
| 4648 | Explicit Credential Logon | ~3% | authentication |
| 4697 | Service Installed | rare | iam, configuration |
| 4720 | User Account Created | rare | iam |
| 4726 | User Account Deleted | rare | iam |
| 4732 | Member Added to Local Group | rare | iam |
| 1102 | Audit Log Cleared | rare | iam |
Realism Features
- Weighted event distribution matching production Windows Server / Domain Controller traffic
- Correlated sessions — logon (4624) creates sessions consumed by logoff (4634)
- Correlated processes — creation (4688) tracked through termination (4689)
- Realistic logon types — Network (55%), Service (20%), RDP (8%), Interactive (5%)
- 120-host fleet — each event is attributed to a random host from a pool of domain controllers, servers, and workstations
- Per-host record IDs — sequential winlog.record_id scoped per hostname
Sample Output
{
"@timestamp": "2026-02-21T12:00:01.234567+00:00",
"event": {
"action": "logged-in",
"category": ["authentication"],
"code": "4624",
"kind": "event",
"outcome": "success"
},
"user": {
"domain": "CONTOSO",
"id": "S-1-5-21-3457937927-2839227994-823803824-1234",
"name": "jsmith"
},
"source": {
"ip": "192.168.0.42",
"port": 52431
},
"winlog": {
"channel": "Security",
"event_data": {
"AuthenticationPackageName": "NTLM",
"LogonType": "3",
"TargetUserName": "jsmith"
},
"event_id": "4624",
"keywords": ["Audit Success"],
"logon": { "type": "Network" },
"record_id": "1"
}
}Parameters
| Parameter | Default | Description |
|---|---|---|
| domain | CONTOSO | Active Directory domain (NetBIOS name) |
| fqdn_suffix | contoso.local | FQDN suffix appended to hostname |
| domain_sid | S-1-5-21-3457937927-... | Domain SID prefix for user SIDs |
| agent_version | 8.17.0 | Winlogbeat version string |
Related Generators
Windows PowerShell
PowerShell classic and operational channels — engine lifecycle, script block logging, module invocations, pipeline execution, and provider starts. Includes obfuscated command detection and suspicious script patterns.
Windows Sysmon
Sysmon (System Monitor) operational channel — process creation with full command lines, network connections, file creates, registry modifications, DNS queries, and WMI events. SwiftOnSecurity-style tuning.
Linux Auditd
Linux audit framework (auditd) — syscall tracing (execve, openat, connect), PAM authentication, credential changes, user login/logout, sudo privilege escalation, and systemd service management.