title: Conversion of Generic Windows Service to Channel and EventID order: 15 logsources: ps_module: category: ps_module product: windows conditions: EventID: 4103 rewrite: product: windows service: powershell ps_script: category: ps_script product: windows conditions: EventID: 4104 rewrite: product: windows service: powershell # for the "classic" channel ps_classic_start: category: ps_classic_start product: windows conditions: EventID: 400 rewrite: product: windows service: powershell-classic ps_classic_provider_start: category: ps_classic_provider_start product: windows conditions: EventID: 600 rewrite: product: windows service: powershell-classic ps_classic_script: category: ps_classic_script product: windows conditions: EventID: 800 rewrite: product: windows service: powershell-classic windows-application: product: windows service: application conditions: Channel: Application windows-security: product: windows service: security conditions: Channel: Security windows-system: product: windows service: system conditions: Channel: System windows-sysmon: product: windows service: sysmon conditions: Channel: 'Microsoft-Windows-Sysmon/Operational' windows-powershell: product: windows service: powershell conditions: Channel: 'Microsoft-Windows-PowerShell/Operational' windows-classicpowershell: product: windows service: powershell-classic conditions: Channel: 'Windows PowerShell' windows-dns-server: product: windows service: dns-server conditions: Channel: 'DNS Server' windows-driver-framework: product: windows service: driver-framework conditions: Channel: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' windows-dhcp: product: windows service: dhcp conditions: Channel: 'Microsoft-Windows-DHCP-Server/Operational' windows-ntlm: product: windows service: ntlm conditions: Channel: 'Microsoft-Windows-NTLM/Operational' windows-defender: product: windows service: windefend conditions: Channel: 'Microsoft-Windows-Windows Defender/Operational' windows-printservice-admin: product: windows service: printservice-admin conditions: Channel: 'Microsoft-Windows-PrintService/Admin' windows-printservice-operational: product: windows service: printservice-operational conditions: Channel: 'Microsoft-Windows-PrintService/Operational' windows-smbclient-security: product: windows service: smbclient-security conditions: Channel: 'Microsoft-Windows-SmbClient/Security' windows-applocker: product: windows service: applocker conditions: Channel: - 'Microsoft-Windows-AppLocker/MSI and Script' - 'Microsoft-Windows-AppLocker/EXE and DLL' - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - 'Microsoft-Windows-AppLocker/Packaged app-Execution' windows-msexchange-management: product: windows service: msexchange-management conditions: Channel: 'MSExchange Management' windows-servicebus-client: product: windows service: microsoft-servicebus-client conditions: Channel: 'Microsoft-ServiceBus-Client' windows-ladp-client-debug: product: windows service: ldap_debug conditions: Channel: 'Microsoft-Windows-LDAP-Client/Debug' windows-taskscheduler-operational: product: windows service: taskscheduler conditions: Channel: 'Microsoft-Windows-TaskScheduler/Operational' windows-wmi-activity-Operational: product: windows service: wmi conditions: Channel: 'Microsoft-Windows-WMI-Activity/Operational' windows-codeintegrity-operational: product: windows service: codeintegrity-operational conditions: Channel: 'Microsoft-Windows-CodeIntegrity/Operational' windows-firewall-advanced-security: product: windows service: firewall-as conditions: Channel: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' windows-bits-client: product: windows service: bits-client conditions: Channel: 'WinEventlog:Microsoft-Windows-Bits-Client/Operational'