Windows • Updated Feb 15, 2026
Windows Event Logs Quick Map
A compact map of high-signal Windows logs for hunting and triage.
Windows windows telemetry detection
Authentication
- 4624 Successful logon
- 4625 Failed logon
- 4648 Logon with explicit credentials
Process creation
- 4688 Process creation (requires policy)
- 1 Sysmon Process Create
PowerShell
- 4104 Script block logging
Network
- 3 Sysmon Network Connection