Event Forwarding Guidance

This repository provides resources to help administrators collect security-related Windows event logs using Windows Event Forwarding (WEF).

This repository serves as a companion resource to the paper titled Spotting the Adversary with Windows Event Log Monitoring.

The list of events in this repository is more current than those presented in the paper.

This section outlines the recommended Windows events to collect. Whether you are using Windows Event Forwarding (WEF) or a third-party Security Information and Event Management (SIEM) system, this list of suggested events serves as a helpful starting point for your data collection efforts.

The events listed in this repository are more current than those found in the paper. There are scripts available to create custom Event Log views and to set up WEF subscriptions. WEF subscriptions are provided in XML format. Here are some useful links for Microsoft Windows Event Forwarding resources: Use Windows Event Forwarding to assist with intrusion detection, along with references for security auditing and monitoring on Windows 10 and Windows Server 2016. You can find Microsoft's Threat Protection guidelines for advanced security audit policy settings and security auditing. Additionally, there is a list of important events from Microsoft, and resources from Microsoft SysInternals, including Sysmon. For further information, visit the ACSC GitHub Windows Event Logging repository and the ACSC Windows Event Logging Technical documentation.