Permalink
..
Failed to load latest commit information.
ADFS.xml Adding ADFS, Duo, DG, EG, Office, WMI Dec 5, 2017
Account-Lockout.xml Initial commit. Sep 5, 2017
Account-Management.xml Major overhaul. Apr 20, 2018
Active-Directory.xml Major overhaul. Apr 20, 2018
Application-Crashes.xml Initial commit. Sep 5, 2017
Applocker.xml Initial commit. Sep 5, 2017
Authentication.xml Major overhaul. Apr 20, 2018
Autoruns.xml Initial commit. Sep 5, 2017
Bits-Client.xml Initial commit. Sep 5, 2017
Certificate-Authority.xml Initial commit. Sep 5, 2017
Code-Integrity.xml Major overhaul. Apr 20, 2018
DNS.xml Initial commit. Sep 5, 2017
Device-Guard.xml Adding ADFS, Duo, DG, EG, Office, WMI Dec 5, 2017
Drivers.xml Initial commit. Sep 5, 2017
Duo-Security.xml Adding ADFS, Duo, DG, EG, Office, WMI Dec 5, 2017
EMET.xml Initial commit. Sep 5, 2017
Event-Log-Diagnostics.xml Major overhaul. Apr 20, 2018
Explicit-Credentials.xml Initial commit. Sep 5, 2017
Exploit-Guard.xml Adding ADFS, Duo, DG, EG, Office, WMI Dec 5, 2017
External-Devices.xml Major overhaul. Apr 20, 2018
Firewall.xml Major overhaul. Apr 20, 2018
Group-Policy-Errors.xml Major overhaul. Apr 20, 2018
Kerberos.xml Major overhaul. Apr 20, 2018
Log-Deletion-Security.xml Initial commit. Sep 5, 2017
Log-Deletion-System.xml Initial commit. Sep 5, 2017
MSI-Packages.xml Initial commit. Sep 5, 2017
Microsoft-Office.xml Adding ADFS, Duo, DG, EG, Office, WMI Dec 5, 2017
NTLM.xml Initial commit. Sep 5, 2017
Object-Manipulation.xml Major overhaul. Apr 20, 2018
Operating-System.xml Major overhaul. Apr 20, 2018
Powershell.xml Initial commit. Sep 5, 2017
Print.xml Initial commit. Sep 5, 2017
Privilege-Use.xml Major overhaul. Apr 20, 2018
Process-Execution.xml Initial commit. Sep 5, 2017
README.md Major overhaul. Apr 20, 2018
Registry.xml Initial commit. Sep 5, 2017
Services.xml Adding ADFS, Duo, DG, EG, Office, WMI Dec 5, 2017
Shares.xml Major overhaul. Apr 20, 2018
Smart-Card.xml Initial commit. Sep 5, 2017
Software-Restriction-Policies.xml Update Software-Restriction-Policies.xml Apr 20, 2018
Sysmon.xml Adding ADFS, Duo, DG, EG, Office, WMI Dec 5, 2017
System-Time-Change.xml Initial commit. Sep 5, 2017
Task-Scheduler.xml Major overhaul. Apr 20, 2018
Terminal-Services.xml Major overhaul. Apr 20, 2018
WMI.xml Adding ADFS, Duo, DG, EG, Office, WMI Dec 5, 2017
Windows-Defender.xml Initial commit. Sep 5, 2017
Windows-Diagnostics.xml Initial commit. Sep 5, 2017
Windows-Updates.xml Major overhaul. Apr 20, 2018
Wireless.xml Major overhaul. Apr 20, 2018

README.md

WEF-Subscriptions

Windows Event Forwarding or WEF is a subscription-based methodology to push events of interest to a Windows Event Collector. Subscriptions can be either source-initiated (push) or collector-initiated (pull). Subscriptions rely on subscriber clients to have logging and WinRM turned on locally for the subscription request. In Palantir's environment with always-changing numbers of Windows systems, source-initiated subscriptions configured via GPO is the optimal model.

List of WEF Subscriptions

  • Account-Lockout: Collects account lockout events.
  • Account-Management: Collects account management events (e.g., creation, deletion, group changes, etc.)
  • Active-Directory: Collections active directory policy and change events.
  • ADFS: Collects events related to Active Directory Federation Services.
  • Application-Crashes: Collects application crash, hang, and error reporting events.
  • Applocker: Collects applocker events for auditing, blocks, software restriction events, etc.
  • Authentication: Collects successful, failed, explicit, and other logon events.
  • Autoruns: Collects autorun events from Autoruns-to-WinEventLog.
  • Bits-Client: Collects events related to the Background Information Transfer Service (BITS).
  • Certificate-Authority: Collects certificate authority events (e.g., requests, denies, issuance).
  • Code-Integrity: Collects events related to code integrity.
  • Device-Guard: Collects events related to Windows Device Guard.
  • DNS: Collects DNS queries and DNS Server DLL loading events.
  • Drivers: Collects events related to user-mode driver loading, failed driver loading, or signing issues.
  • Duo-Security: Collects Duo Security authentication events.
  • EMET: Collects events related to the Enhanced Mitigation Experience Toolset (EMET).
  • Event-Log-Diagnostics: Collects events related to the Event Log service.
  • Explicit-Credentials: Collects events that use explicit credentials.
  • Exploit-Guard: Collects events related to Windows Exploit Guard.
  • External-Devices: Collects USB and other external device events.
  • Firewall: Collects events related to the Windows Firewall.
  • Group-Policy-Errors: Collects events related to group policy service errors.
  • Kerberos: Collects events related to Kerberos (e.g. ticket requests, failures, etc.)
  • Log-Deletion-Security: Collects log deletions involving the security event log.
  • Log-Deletion-System: Collects log deletions involving the system event log.
  • Microsoft-Office: Collects events related to Microsoft Office products.
  • MSI-Packages: Collects events related to package installation, Windows Update, and software installation.
  • NTLM: Collects events related to NTLM authentication and failures.
  • Object-Manipulation: Collects object manipulation (e.g. SACL) events.
  • Operating-System: Collects system events such as SMBv1, shutdowns, unexpected reboots, etc.
  • Powershell: Collects PowerShell script block, module, operational, DSC, and other events.
  • Print: Collects print service jobs and events.
  • Process-Execution: Collects process execution and termination events.
  • Registry: Collects events related to registry auditing.
  • Services: Collects events related to service installation, failures, crashes, etc.
  • Shares: Collects events related to network shares and mapped drives.
  • Smart-Card: Collects events related to smart card authentication.
  • Software-Restriction-Policies: Collects events related to Software Restriction Policies from the System Log
  • System-Time-Change: Collects events related to system time changes.
  • Sysmon: Collects events related to Sysinternals Sysmon.
  • Task-Scheduler: Collects events related to the task scheduler and tasks.
  • Terminal-Services: Collects events from terminal services and terminal services gateway.
  • Windows-Defender: Collects Windows Defender detection and operational events.
  • Windows-Diagnostics: Collects WEF diagnostic events.
  • Windows-Updates: Collects Windows Update service and hotpatching errors.
  • Wireless: Collects wireless authentication events.
  • WMI: Collects events from the WMI operational event logs.

Windows Event Collector Utility 101

Create a subscription or all the subscriptions

wecutil cs subscription.xml

C:\subscription-dir> for /r %i in (*.xml) do wecutil cs %i

Delete a subscription or all the subscriptions

WARNING: You're better off disabling the subscriptions first for server/eventvwr stability.

wecutil ds subscriptionid

C:\subscription-dir> for /r %i in (*.xml) do wecutil ds %~ni

See XML details and subscribers

wecutil gs subscriptionid