Windows Event Forwarding/Collector Resources

Voiced by Amazon Polly

Windows Event ForwardingDepending on your SIEM you are going to have different requirements here.  For some SIEMs, there is no issue with EPS and only the number of devices.  In that case, this will immediately reduce your licensing needs by allowing you to watch Events from Servers and/or workstations from a single (or few) devices.  You can forward all workstation events to a single devices and then just monitor that devices from the SIEM using Windows Event Forwarding.

For those SIEMs, like Splunk, that care about EPS and nothing else, this will get more complex, but not unmanageable.  At this point, you have to start using filtering. If your SIEM has agents, like splunk, that can do filtering you can use simple Event Subscriptions to get the logs, but then filter at the forwarder.  For those that don’t, then there are still ways to do a lot of filtering in the XML, but there are some limitations. I have spent the past few months architecting this for a large enterprise, and I have found a few invaluable resources I wanted to share about all of this.

Updated: Start Here

Sigma –

Mordor –


Threat Mitigation Strategies –

Threat Hunter Playbook –

MITRE ATT&CK Framework –


Monitoring what matters – Windows Event Forwarding for everyone (even if you already have a SIEM.)

Detailed Post on XML Queries in Subscriptions

Proactively Secure your IT Environment from Credential Theft with POP-SLAM

LAPS Audit Reporting via WEF PoSH and PowerBI

Windows Event Forwarding – Centralized logging for everyone! (Even if you already have centralized logging!)

Event Forwarding and Log Analysis

Local Administrator Password Solution (LAPS) Implementation Hints and Security Nerd Commentary (including mini threat model)

Top 10 SIEM Best Practices

Threat Hunting

Building a free console for threat hunting – Jessica Payne

Third Party Tools

Sysmon Limitations – SpecreOps

Indicators of Compromise

NSA – Spotting the Adversary

Detecting Lateral Movement with Windows Event Logs [VIDEO]

Pass The Hash Info

Use Windows Event Forwarding to help with intrusion detection (Windows 10)

Cheat Sheets for Logging

Splunk Finding Advanced Attacks

Splunk Logging CheatSheet

Events To Monitor

Information About Windows Events

Tracking Lateral Movement Part One – Special Groups and Specific Service Accounts

Advanced security audit policy settings (Windows 10)

Simple Windows Batch Scripting for Intrusion Discovery

The Key Difference between “Account Logon” and “Logon/Logoff” Events in the Windows Security Log

Description of security events in Windows 7 and in Windows Server 2008 R2

More New Stuff in PowerShell V5: Extra PowerShell Auditing

Include command line in process creation events

Microsoft security advisory: Update to improve Windows command-line auditing: February 10, 2015

Windows Event Forwarding: export and import subscriptions

Auditing Group Policy changes – Canberra Premier Field Engineering: Team Blog

Updated 12/14/17: Added Threat Hunting Section

Update 1/2/2018: Added link to SpectreOps blog, rearranged links

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.