Windows Event Forwarding: using windows event forwarding for incident detection and response
Windows Event Forwarding Guidance
Windows Event Forwarding
Windows Event Forwarding (WEF) is a powerful log forwarding solution integrated within modern versions of Microsoft Windows. One of the most comprehensive descriptions of WEF can be found on the Microsoft Docs page here, but is summarized as follows:
- Windows Event Forwarding allows for event logs to be sent, either via a push or pulls mechanism, to one or more centralized Windows Event Collector (WEC) servers.
- WEF is agent-free and relies on native components integrated into the operating system. WEF is supported for both workstation and server builds of Windows.
- WEF supports mutual authentication and encryption through Kerberos (in a domain), or can be extended through the usage of TLS (additional authentication or for non-domain joined machines).
- WEF has a rich XML-based language that can control which event IDs are submitted, suppress noisy events, batch events together, and send events as quickly or slowly as desired. Subscription XML supports a subset of XPath, which simplifies the process of writing expressions to select the events you’re interested in.
Repository Layout
This repository is organized as follows:
- WEF Subscriptions: Subscriptions are the core component of WEF that determine which events should be forwarded, how they should be stored, and at what cadence and batch size they are sent.
- Windows Event Channels: Event Channels are queues that can be used for collecting and storing event log entries on a collector server.
- Group Policy Objects: GPO recommendations for configuring auditing, enabling windows event collection/forwarding, etc.
- AutorunsToWinEventLog: A script leveraging existing WEF infrastructure and Sysinternals’ Autoruns to collect persistence and auto-start related artifacts.
Using
- Download the repository and review the contents.
- Deploy auditing GPOs to your fleet to start collecting security-critical events.
- Configure one or more Windows Event Collector servers. Apply the associated GPOs.
- (Optional) Configure your WEC server(s) to function as a powershell transcription logging target.
- Deploy the windows event channels to the WEC server(s).
- Load one or more WEF subscriptions on the WEC server(s).
- Start collecting data and hunting badness.
Copyright (c) 2017 Palantir Technologies Inc.
Source: https://github.com/palantir/
