Skip to content

Latest commit

 

History

History
 
 

wef-subscriptions

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
ADFS.xml
ADFS.xml
 
 
Account-Lockout.xml
Account-Lockout.xml
 
 
Account-Management.xml
Account-Management.xml
 
 
Active-Directory.xml
Active-Directory.xml
 
 
Application-Crashes.xml
Application-Crashes.xml
 
 
Applocker.xml
Applocker.xml
 
 
Authentication.xml
Authentication.xml
 
 
Autoruns.xml
Autoruns.xml
 
 
Bits-Client.xml
Bits-Client.xml
 
 
Certificate-Authority.xml
Certificate-Authority.xml
 
 
Code-Integrity.xml
Code-Integrity.xml
 
 
DNS.xml
DNS.xml
 
 
Device-Guard.xml
Device-Guard.xml
 
 
Drivers.xml
Drivers.xml
 
 
Duo-Security.xml
Duo-Security.xml
 
 
EMET.xml
EMET.xml
 
 
Event-Log-Diagnostics.xml
Event-Log-Diagnostics.xml
 
 
Explicit-Credentials.xml
Explicit-Credentials.xml
 
 
Exploit-Guard-ASR.xml
Exploit-Guard-ASR.xml
 
 
Exploit-Guard-CFA.xml
Exploit-Guard-CFA.xml
 
 
Exploit-Guard-EP.xml
Exploit-Guard-EP.xml
 
 
Exploit-Guard-NP.xml
Exploit-Guard-NP.xml
 
 
External-Devices.xml
External-Devices.xml
 
 
Firewall.xml
Firewall.xml
 
 
Group-Policy-Errors.xml
Group-Policy-Errors.xml
 
 
Kerberos.xml
Kerberos.xml
 
 
Log-Deletion-Security.xml
Log-Deletion-Security.xml
 
 
Log-Deletion-System.xml
Log-Deletion-System.xml
 
 
MSI-Packages.xml
MSI-Packages.xml
 
 
Microsoft-Office.xml
Microsoft-Office.xml
 
 
NTLM.xml
NTLM.xml
 
 
Object-Manipulation.xml
Object-Manipulation.xml
 
 
Operating-System.xml
Operating-System.xml
 
 
Powershell.xml
Powershell.xml
 
 
Print.xml
Print.xml
 
 
Privilege-Use.xml
Privilege-Use.xml
 
 
Process-Execution.xml
Process-Execution.xml
 
 
README.md
README.md
 
 
Registry.xml
Registry.xml
 
 
Services.xml
Services.xml
 
 
Shares.xml
Shares.xml
 
 
Smart-Card.xml
Smart-Card.xml
 
 
Software-Restriction-Policies.xml
Software-Restriction-Policies.xml
 
 
Sysmon.xml
Sysmon.xml
 
 
System-Time-Change.xml
System-Time-Change.xml
 
 
Task-Scheduler.xml
Task-Scheduler.xml
 
 
Terminal-Services.xml
Terminal-Services.xml
 
 
WMI.xml
WMI.xml
 
 
Windows-Defender.xml
Windows-Defender.xml
 
 
Windows-Diagnostics.xml
Windows-Diagnostics.xml
 
 
Windows-Updates.xml
Windows-Updates.xml
 
 
Wireless.xml
Wireless.xml
 
 

README.md

WEF-Subscriptions

Windows Event Forwarding or WEF is a subscription-based methodology to push events of interest to a Windows Event Collector. Subscriptions can be either source-initiated (push) or collector-initiated (pull). Subscriptions rely on subscriber clients to have logging and WinRM turned on locally for the subscription request. In Palantir's environment with always-changing numbers of Windows systems, source-initiated subscriptions configured via GPO is the optimal model.

List of WEF Subscriptions

  • Account-Lockout: Collects account lockout events.
  • Account-Management: Collects account management events (e.g., creation, deletion, group changes, etc.)
  • Active-Directory: Collections active directory policy and change events.
  • ADFS: Collects events related to Active Directory Federation Services.
  • Application-Crashes: Collects application crash, hang, and error reporting events.
  • Applocker: Collects applocker events for auditing, blocks, software restriction events, etc.
  • Authentication: Collects successful, failed, explicit, and other logon events.
  • Autoruns: Collects autorun events from Autoruns-to-WinEventLog.
  • Bits-Client: Collects events related to the Background Information Transfer Service (BITS).
  • Certificate-Authority: Collects certificate authority events (e.g., requests, denies, issuance).
  • Code-Integrity: Collects events related to code integrity.
  • Device-Guard: Collects events related to Windows Device Guard.
  • DNS: Collects DNS queries and DNS Server DLL loading events.
  • Drivers: Collects events related to user-mode driver loading, failed driver loading, or signing issues.
  • Duo-Security: Collects Duo Security authentication events.
  • EMET: Collects events related to the Enhanced Mitigation Experience Toolset (EMET).
  • Event-Log-Diagnostics: Collects events related to the Event Log service.
  • Explicit-Credentials: Collects events that use explicit credentials.
  • Exploit-Guard: Collects events related to Windows Exploit Guard.
  • External-Devices: Collects USB and other external device events.
  • Firewall: Collects events related to the Windows Firewall.
  • Group-Policy-Errors: Collects events related to group policy service errors.
  • Kerberos: Collects events related to Kerberos (e.g. ticket requests, failures, etc.)
  • Log-Deletion-Security: Collects log deletions involving the security event log.
  • Log-Deletion-System: Collects log deletions involving the system event log.
  • Microsoft-Office: Collects events related to Microsoft Office products.
  • MSI-Packages: Collects events related to package installation, Windows Update, and software installation.
  • NTLM: Collects events related to NTLM authentication and failures.
  • Object-Manipulation: Collects object manipulation (e.g. SACL) events.
  • Operating-System: Collects system events such as SMBv1, shutdowns, unexpected reboots, etc.
  • Powershell: Collects PowerShell script block, module, operational, DSC, and other events.
  • Print: Collects print service jobs and events.
  • Process-Execution: Collects process execution and termination events.
  • Registry: Collects events related to registry auditing.
  • Services: Collects events related to service installation, failures, crashes, etc.
  • Shares: Collects events related to network shares and mapped drives.
  • Smart-Card: Collects events related to smart card authentication.
  • Software-Restriction-Policies: Collects events related to Software Restriction Policies from the System Log
  • System-Time-Change: Collects events related to system time changes.
  • Sysmon: Collects events related to Sysinternals Sysmon.
  • Task-Scheduler: Collects events related to the task scheduler and tasks.
  • Terminal-Services: Collects events from terminal services and terminal services gateway.
  • Windows-Defender: Collects Windows Defender detection and operational events.
  • Windows-Diagnostics: Collects WEF diagnostic events.
  • Windows-Updates: Collects Windows Update service and hotpatching errors.
  • Wireless: Collects wireless authentication events.
  • WMI: Collects events from the WMI operational event logs.

Windows Event Collector Utility 101

Create a subscription or all the subscriptions

wecutil cs subscription.xml

C:\subscription-dir> for /r %i in (*.xml) do wecutil cs %i

Delete a subscription or all the subscriptions

WARNING: You're better off disabling the subscriptions first for server/eventvwr stability.

wecutil ds subscriptionid

C:\subscription-dir> for /r %i in (*.xml) do wecutil ds %~ni

See XML details and subscribers

wecutil gs subscriptionid