Glossary
Provider
The component that emits records into a channel — identified by name (e.g.
The component that emits records into a channel — identified by name (e.g. Microsoft-Windows-Security-Auditing) and a GUID. The same numeric Event ID can mean very different things across providers (Sysmon 1 ≠ Security 1), so provider+ID is the real key.