Configuration guidance for implementing collection of security relevant Windows Event Log events by using Windows Event Forwarding. #nsacyber
PowerShell
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.

README.md

Event Forwarding Guidance

This project hosts scripts and configuration files for aiding administrators in collecting security relevant Windows event logs using Windows Event Forwarding (WEF), and contains a recommended minimum set of events to collect. See Spotting the Adversary with Windows Event Log Monitoring for more details on setting up WEF.

Recommended Events

The Events folder contains a minimum recommended set of Windows events to collect. Regardless of using WEF or a third party SIEM the list of recommended events should be useful as a starting point for what to collect. Collecting every single Windows event is not recommended. A better approach is to collect only events that provide value and insight into a system's state.

Guidance

NSA Information Assurance has a security guide called Spotting the Adversary with Windows Event Log Monitoring.

Links

License

See LICENSE.

Disclaimer

See DISCLAIMER.