Windows Event Forwarding: Survival Guide
This is intended to be a launch page for links to a number of resources regarding Windows Event Forwarding (WEF)
Intrusion Detection
Use Windows Event Forwarding to help with intrusion detection
This is a very comprehensive paper covering WEF in detail written by internal engineers at MSFT that utilize WEF at an extremely large scale ~700k clients.
Even though the title says intrusion detection the bulk of the paper is about operational WEF and should be read if you are planning on utilizing WEF.
Whitepaper & Guidance
NSA's Whitepaper on spotting lateral movement via WEF along with the GitHub they host and the scripts etc to implement the guidance.
- https://www.iad.gov/iad/library/ia-guidance/security-configuration/applications/spotting-the-adversary-with-windows-event-log-monitoring.cfm
- https://github.com/nsacyber/Event-Forwarding-Guidance
Basic WEF guide
Monitoring what matters:
Capture Events and Upload to Microsoft Sentinel
Presentations
Ignite Presentation on WEF :
Microsoft Virtual Academy
session on Windows Event Forwarding:
Build a fast, free, and effective Threat Hunting/Incident Response Console with Windows Event Forwarding and PowerBI
Knowledge base
Detailed descriptions of all the events and Event IDs in Advanced Audit Policy Settings and what they mean:
Blogs
Tracking LAM
Tracking Lateral Account Movement / Special Groups Monitoring :
XPath and Subscription Filters
- https://blogs.technet.microsoft.com/kfalde/2015/05/27/some-posh-to-help-with-evt-xpath-filter-creations/
- https://blogs.technet.microsoft.com/kfalde/2014/03/24/xpath-event-log-filtering/
- http://blog.backslasher.net/filtering-windows-event-log-using-xpath.html