Event Forwarding Guidance
This project hosts scripts and configuration files for aiding administrators in collecting security relevant Windows event logs using Windows Event Forwarding (WEF), and contains a recommended minimum set of events to collect. See Spotting the Adversary with Windows Event Log Monitoring for more details on setting up WEF.
The Events folder contains a minimum recommended set of Windows events to collect. Regardless of using WEF or a third party SIEM the list of recommended events should be useful as a starting point for what to collect. Collecting every single Windows event is not recommended. A better approach is to collect only events that provide value and insight into a system's state.
NSA Information Assurance has a security guide called Spotting the Adversary with Windows Event Log Monitoring.
- Microsoft Windows Event Forwarding Resources
- Use Windows Event Forwarding to help with intrusion detection
- Windows 10 and Windows Server 2016 security auditing and monitoring reference
- List of important events from Microsoft
- Microsoft Sysmon Tool
- ASD GitHub Windows Event Logging repository
- ASD Windows Event Logging Technical Guidance