detection.wiki

EventLog

6 events across 1 channel

EventTitleChannelSample
6005Event ID 6005SystemY
6006Event ID 6006SystemY
6008Event ID 6008SystemY
6009Event ID 6009SystemY
6011Event ID 6011SystemY
6013Event ID 6013SystemY

Event ID 6005

#
Provider
EventLog
Channel
System
Level
Informational

Fields #

NameDescription
Data_0
Binary

Example Event #

{
  "system": {
    "provider": "EventLog",
    "guid": "",
    "event_source_name": "",
    "event_id": 6005,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-29T16:32:53.9173149+00:00",
    "event_record_id": 6671,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "System",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {},
  "message": "The Event log service was started."
}

Community Notes #

Indicates system boot, and is a reliable indicator for establishing a timeline.

Event ID 6006

#
Provider
EventLog
Channel
System
Level
Informational

Fields #

NameDescription
Data_0
Binary

Example Event #

{
  "system": {
    "provider": "EventLog",
    "guid": "",
    "event_source_name": "",
    "event_id": 6006,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-06-13T05:22:34.5492248+00:00",
    "event_record_id": 7363,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "System",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {},
  "message": "The Event log service was stopped."
}

Community Notes #

Indicates system shutdown. An absence of this before 6005 suggests an unexpected shutdown or crash, which may be suspicious.

Event ID 6008

#
Provider
EventLog
Channel
System
Level
Error

Fields #

NameDescription
Data_0
Data_1
Data_2
Data_3
Data_4
Data_5
Data_6
Data
Binary

Example Event #

{
  "system": {
    "provider": "EventLog",
    "guid": "",
    "event_source_name": "",
    "event_id": 6008,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-29T16:32:53.9173149+00:00",
    "event_record_id": 6669,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "System",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "11:35:30 AM",
    "Data_1": "‎5/‎29/‎2026",
    "Data_2": "",
    "Data_3": "",
    "Data_4": "10939",
    "Data_5": "",
    "Data_6": ""
  },
  "message": "The previous system shutdown at 11:35:30 AM on ‎5/‎29/‎2026 was unexpected."
}

Event ID 6009

#
Provider
EventLog
Channel
System
Level
Informational

Fields #

NameDescription
Data_0
Data_1
Data_2
Data_3
Data_4
Binary

Example Event #

{
  "system": {
    "provider": "EventLog",
    "guid": "",
    "event_source_name": "",
    "event_id": 6009,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-29T16:32:53.9173149+00:00",
    "event_record_id": 6670,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "System",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "10.00.",
    "Data_1": "20348",
    "Data_2": "",
    "Data_3": "Multiprocessor Free",
    "Data_4": "0"
  },
  "message": "Microsoft (R) Windows (R) 10.00. 20348  Multiprocessor Free."
}

Event ID 6011

#
Provider
EventLog
Channel
System
Level
Informational

Fields #

NameDescription
Data_0
Data_1
Binary

Example Event #

{
  "system": {
    "provider": "EventLog",
    "guid": "",
    "event_source_name": "",
    "event_id": 6011,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-05-27T21:38:04.1256208+00:00",
    "event_record_id": 1053,
    "correlation": {},
    "execution": {
      "process_id": 2072,
      "thread_id": 2124
    },
    "channel": "System",
    "computer": "telemetry-W11-d",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "WIN11-25H2-X64",
    "Data_1": "TELEMETRY-W11-D"
  },
  "message": "The NetBIOS name and DNS host name of this machine have been changed from WIN11-25H2-X64 to TELEMETRY-W11-D."
}

Event ID 6013

#
Provider
EventLog
Channel
System
Level
Informational

Fields #

NameDescription
Data_0
Data_1
Data_2
Data_3
Data_4
Data_5
Data_6
Binary

Example Event #

{
  "system": {
    "provider": "EventLog",
    "guid": "",
    "event_source_name": "",
    "event_id": 6013,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-06-13T12:00:01.6322576+00:00",
    "event_record_id": 7012,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "System",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "",
    "Data_1": "",
    "Data_2": "",
    "Data_3": "",
    "Data_4": "31097",
    "Data_5": "60",
    "Data_6": "0 Coordinated Universal Time"
  },
  "message": "The system uptime is 31097 seconds."
}