detection.wiki
← Back to Posts

Event catalog update: 17 March 2026

There have been many enhancements. I'll start with the most visible changes. There is now a References page with information gleaned from Windows for access rights to a variety of objects, privilege constants, Sigma rules mapped to Windows events, and more.

If an event is in a Sigma rule, the description and a link to the SigmaHQ repo for that rule will be shown in the event. By default only five rules will be shown, with a dropdown button to show more. There is a limit of 50 total rules, which doesn't impact many events. There are a few standouts like Sysmon Event ID 1, which has 1167 rules. You can see all of them on the Sigma Rule References page. I might be a bit boring, but I've caught myself a few times opening the page, scrolling to a random event and start reading.

Related Events have been added to event pages. This will show you events with notable relationships to the one you're seeing. For example, Security-Auditing Event ID 4720: A user account was created has this...

Success/failure pair: Microsoft-Windows-Security-Auditing Event ID 4726: A user account was deleted. — User account created / deleted Microsoft Learn

Often seen in sequence with: Microsoft-Windows-Security-Auditing Event ID 4722: A user account was enabled. — User account created, then enabled Microsoft Learn

Co-occurs in Sigma rules with: Microsoft-Windows-Security-Auditing Event ID 4781: The name of an account was changed. Sigma rule

This is exceptionally useful for learning the context of a given event. I've started with documenting the relationships shown in existing Microsoft Learn documentation and Sigma rules. I hope to steadily grow coverage for more events using community contributions.

If the event is enabled via Audit Policy, the audit category and subcategory will be shown above the Description field with a Learn link.

If an event sample is available, it'll have JSON syntax highlighting with the colour schema chosen based on accessibility guidelines for each theme. Unfortunately, I neglected to retain the original .evtx files from my lab that I processed into JSON. However, I have a nearly complete script for converting the event sample to XML, which can be subsequently converted to evtx using JPCERT/CC's excellent xml2evtx tool. This may later be used for re-ingestion to a SIEM to test your detections.

More than 2300 events have been added, nearly 4500 events gained real sample data across 170+ providers, and even more have been enriched with data from Windows internals, Learn, and community sources:

  • Enum/constant resolution for fields like Status, AccessMask, TicketOptions, and UAC flags resolving raw numeric values to human-readable labels using PDB debug symbols, SDK headers, and message tables from msobjs.dll
  • Descriptions from ETW message templates for 62K+ events
  • Task/opcode metadata extracted from manifests across 44k+ events
  • Field descriptions parsed from adtschema message templates (3k+ fields) and Learn
  • Collection priority recommendations from several sources: Microsoft Defender, Yamato-Security, and others

Thanks for reading! You can send me feedback at sonny@detection.wiki.