{
	"id": "f0f5b94e-1a49-4874-bca2-4a0fa5e01c5e",
	"created_at": "2026-04-06T00:09:19.396142Z",
	"updated_at": "2026-04-10T13:12:53.393354Z",
	"deleted_at": null,
	"sha1_hash": "47162b22900b14adf70c7da3865eaff6557b4cf8",
	"title": "Use Windows Event Forwarding to help with intrusion detection",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 489662,
	"plain_text": "Use Windows Event Forwarding to help with intrusion detection\r\nBy officedocspr5\r\nArchived: 2026-04-05 19:16:26 UTC\r\nLearn about an approach to collect events from devices in your organization. This article talks about events in both\r\nnormal operations and when an intrusion is suspected.\r\nWindows Event Forwarding (WEF) reads any operational or administrative event logged on a device in your\r\norganization and forwards the events you choose to a Windows Event Collector (WEC) server.\r\nTo accomplish this functionality, there are two different subscriptions published to client devices - the Baseline\r\nsubscription and the suspect subscription. The Baseline subscription enrolls all devices in your organization, and a\r\nSuspect subscription only includes devices that have been added by you. The Suspect subscription collects more\r\nevents to help build context for system activity and can quickly be updated to accommodate new events and/or\r\nscenarios as needed without impacting baseline operations.\r\nThis implementation helps differentiate where events are ultimately stored. Baseline events can be sent to devices\r\nwith online analytical capability, such as Security Event Manager (SEM), while also sending events to a\r\nMapReduce system, such as HDInsight or Hadoop, for long-term storage and deeper analysis. Events from the\r\nSuspect subscription are sent directly to a MapReduce system due to volume and lower signal/noise ratio, they're\r\nlargely used for host forensic analysis.\r\nAn SEM's strength lies in being able to inspect, correlate events, and generate alerts for known patterns manner\r\nand alert security staff at machine speed.\r\nA MapReduce system has a longer retention time (years versus months for an SEM), larger ingress ability\r\n(hundreds of terabytes per day), and the ability to perform more complex operations on the data like statistical and\r\ntrend analysis, pattern clustering analysis, or apply Machine Learning algorithms.\r\nHere's an approximate scaling guide for WEF events:\r\nEvents/second range Data store\r\n0 - 5,000 SQL or SEM\r\n5,000 - 50,000 SEM\r\n50,000+ Hadoop/HDInsight/Data Lake\r\nEvent generation on a device must be enabled either separately or as part of the GPO for the baseline WEF\r\nimplementation, including enabling of disabled event logs and setting channel permissions. For more info, see\r\nAppendix C - Event channel settings (enable and channel access) methods. This condition is because WEF is a\r\npassive system regarding the event log. It can't change the size of event log files, enable disabled event channels,\r\nhttps://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection\r\nPage 1 of 21\n\nchange channel permissions, or adjust a security audit policy. WEF only queries event channels for existing\r\nevents. Additionally, having event generation already occurring on a device allows for more complete event\r\ncollection building a complete history of system activity. Otherwise, you'll be limited to the speed of GPO and\r\nWEF subscription refresh cycles to make changes to what is being generated on the device. On modern devices,\r\nenabling more event channels and expanding the size of event log files hasn't resulted in noticeable performance\r\ndifferences.\r\nFor the minimum recommended audit policy and registry system ACL settings, see Appendix A - Minimum\r\nrecommended minimum audit policy and Appendix B - Recommended minimum registry system ACL policy.\r\nNote\r\nThese are only minimum values need to meet what the WEF subscription selects.\r\nFrom a WEF subscription management perspective, the event queries provided should be used in two separate\r\nsubscriptions for ease of maintenance; only machines meeting specific criteria would be allowed access to the\r\ntargeted subscription. This access would be determined by an algorithm or an analysts' direction. All devices\r\nshould have access to the Baseline subscription.\r\nThis system of dual subscription means you would create two base subscriptions:\r\nBaseline WEF subscription. Events collected from all hosts; these events include some role-specific\r\nevents, which will only be emitted by those machines.\r\nTargeted WEF subscription. Events collected from a limited set of hosts due to unusual activity and/or\r\nheightened awareness for those systems.\r\nEach using the respective event query below. For the Targeted subscription, enabling the \"read existing events\"\r\noption should be set to true to allow collection of existing events from systems. By default, WEF subscriptions\r\nwill only forward events generated after the WEF subscription was received by the client.\r\nIn Appendix E - Annotated Baseline Subscription Event Query and Appendix F - Annotated Suspect Subscription\r\nEvent Query, the event query XML is included when creating WEF subscriptions. These subscriptions are\r\nannotated for query purpose and clarity. Individual \u003cQuery\u003e element can be removed or edited without affecting\r\nthe rest of the query.\r\nCommon WEF questions\r\nThis section addresses common questions from IT pros and customers.\r\nWill the user notice if their machine is enabled for WEF or if WEF encounters an error?\r\nThe short answer is: No.\r\nThe longer answer is: The Eventlog-forwardingPlugin/Operational event channel logs the success, warning,\r\nand error events related to WEF subscriptions present on the device. Unless the user opens Event Viewer and\r\nnavigates to that channel, they won't notice WEF either through resource consumption or Graphical User Interface\r\nhttps://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection\r\nPage 2 of 21\n\npop-ups. Even if there's an issue with the WEF subscription, there's no user interaction or performance\r\ndegradation. All success, warning, and failure events are logged to this operational event channel.\r\nIs WEF Push or Pull?\r\nA WEF subscription can be configured to be pushed or pulled, but not both. The simplest, most flexible IT\r\ndeployment with the greatest scalability can be achieved by using a push, or source initiated, subscription. WEF\r\nclients are configured by using a GPO and the built-in forwarding client is activated. For pull, collector initiated,\r\nthe subscription on the WEC server is preconfigured with the names of the WEF Client devices from which events\r\nare to be selected. Those clients are to be configured ahead of time to allow the credentials used in the\r\nsubscription to access their event logs remotely (normally by adding the credential to the Event Log Readers\r\nbuilt-in local security group.) A useful scenario: closely monitoring a specific set of machines.\r\nWill WEF work over VPN or RAS?\r\nWEF handles VPN, RAS, and DirectAccess scenarios well and will reconnect and send any accumulated backlog\r\nof events when the connection to the WEF Collector is re-established.\r\nHow is client progress tracked?\r\nThe WEC server maintains in its registry the bookmark information and last heartbeat time for each event source\r\nfor each WEF subscription. When an event source reconnects to a WEC server, the last bookmark position is sent\r\nto the device to use as a starting point to resume forwarding events. If a WEF client has no events to send, the\r\nWEF client connects periodically to send a Heartbeat to the WEC server to indicate it's active. This heartbeat\r\nvalue can be individually configured for each subscription.\r\nWill WEF work in an IPv4, IPv6, or mixed IPv4/IPv6 environment?\r\nYes. WEF is transport agnostic and will work over IPv4 or IPv6.\r\nAre WEF events encrypted? I see an HTTP/HTTPS option!\r\nIn a domain setting, the connection used to transmit WEF events is encrypted using Kerberos, by default (with\r\nNTLM as a fallback option, which can be disabled by using a GPO). Only the WEF collector can decrypt the\r\nconnection. Additionally, the connection between WEF client and WEC server is mutually authenticated\r\nregardless of authentication type (Kerberos or NTLM.) There are GPO options to force Authentication to use\r\nKerberos Only.\r\nThis authentication and encryption is performed regardless if HTTP or HTTPS is selected.\r\nThe HTTPS option is available if certificate based authentication is used, in cases where the Kerberos based\r\nmutual authentication isn't an option. The SSL certificate and provisioned client certificates are used to provide\r\nmutual authentication.\r\nDo WEF Clients have a separate buffer for events?\r\nhttps://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection\r\nPage 3 of 21\n\nThe WEF client machines local event log is the buffer for WEF for when the connection to the WEC server is lost.\r\nTo increase the \"buffer size\", increase the maximum file size of the specific event log file where events are being\r\nselected. For more info, see Appendix C - Event Channel Settings (enable and Channel Access) methods.\r\nWhen the event log overwrites existing events (resulting in data loss if the device isn't connected to the Event\r\nCollector), there's no notification sent to the WEF collector that events are lost from the client. Neither is there an\r\nindicator that there was a gap encountered in the event stream.\r\nWhat format is used for forwarded events?\r\nWEF has two modes for forwarded events. The default is \"Rendered Text\" that includes the textual description of\r\nthe event as you would see it in Event Viewer. This description's inclusion means that the event size is effectively\r\ndoubled or tripled depending on the size of the rendered description. The alternative mode is \"Events\" (also\r\nsometimes referred to as \"Binary\" format) - which is just the event XML itself sent in binary XML format (as it\r\nwould be written to the evtx file.) This format is compact and can more than double the event volume a single\r\nWEC server can accommodate.\r\nA subscription \"testSubscription\" can be configured to use the Events format through the WECUTIL utility:\r\n@rem required to set the DeliveryMaxItems or DeliveryMaxLatencyTime\r\nWecutil ss \"testSubscription\" /cf:Events\r\nHow frequently are WEF events delivered?\r\nEvent delivery options are part of the WEF subscription configuration parameters - There are three built-in\r\nsubscription delivery options: Normal, Minimize Bandwidth, and Minimize Latency. A fourth, catch-all called\r\n\"Custom\" is available but can't be selected or configured through the WEF UI by using Event Viewer. The Custom\r\ndelivery option must be selected and configured using the WECUTIL.EXE command-line application. All\r\nsubscription options define a maximum event count and maximum event age, if either limit is exceeded then the\r\naccumulated events are sent to the event collector.\r\nThis table outlines the built-in delivery options:\r\nEvent delivery\r\noptimization\r\noptions\r\nDescription\r\nNormal\r\nThis option ensures reliable delivery of events and doesn't attempt to conserve\r\nbandwidth. It's the appropriate choice unless you need tighter control over bandwidth\r\nusage or need forwarded events delivered as quickly as possible. It uses pull delivery\r\nmode, batches 5 items at a time and sets a batch timeout of 15 minutes.\r\nMinimize\r\nbandwidth\r\nThis option ensures that the use of network bandwidth for event delivery is strictly\r\ncontrolled. It's an appropriate choice if you want to limit the frequency of network\r\nhttps://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection\r\nPage 4 of 21\n\nEvent delivery\r\noptimization\r\noptions\r\nDescription\r\nconnections made to deliver events. It uses push delivery mode and sets a batch\r\ntimeout of 6 hours. In addition, it uses a heartbeat interval of 6 hours.\r\nMinimize latency\r\nThis option ensures that events are delivered with minimal delay. It's an appropriate\r\nchoice if you're collecting alerts or critical events. It uses push delivery mode and sets a\r\nbatch timeout of 30 seconds.\r\nFor more info about delivery options, see Configure Advanced Subscription Settings.\r\nThe primary difference is in the latency which events are sent from the client. If none of the built-in options meet\r\nyour requirements, you can set Custom event delivery options for a given subscription from an elevated command\r\nprompt:\r\n@rem required to set the DeliveryMaxItems or DeliveryMaxLatencyTime\r\nWecutil ss \"SubscriptionNameGoesHere\" /cm:Custom\r\n@rem set DeliveryMaxItems to 1 event\r\nWecutil ss \"SubscriptionNameGoesHere\" /dmi:1\r\n@rem set DeliveryMaxLatencyTime to 10 ms\r\nWecutil ss \"SubscriptionNameGoesHere\" /dmlt:10\r\nHow do I control which devices have access to a WEF Subscription?\r\nFor source initiated subscriptions: Each WEF subscription on a WEC server has its own ACL for machine\r\naccounts or security groups containing machine accounts (not user accounts) that are explicitly allowed to\r\nparticipate in that subscription or are explicitly denied access. This ACL applies to only a single WEF subscription\r\n(since there can be multiple WEF subscriptions on a given WEC server), other WEF Subscriptions have their own\r\nseparate ACL.\r\nFor collector initiated subscriptions: The subscription contains the list of machines from which the WEC server is\r\nto collect events. This list is managed at the WEC server, and the credentials used for the subscription must have\r\naccess to read event logs from the WEF Clients - the credentials can be either the machine account or a domain\r\naccount.\r\nCan a client communicate to multiple WEF Event Collectors?\r\nYes. If you desire a High-Availability environment, configure multiple WEC servers with the same subscription\r\nconfiguration and publish both WEC Server URIs to WEF clients. WEF Clients forward events simultaneously to\r\nthe configured subscriptions on the WEC servers, if they have the appropriate access.\r\nWhat are the WEC server's limitations?\r\nhttps://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection\r\nPage 5 of 21\n\nThere are three factors that limit the scalability of WEC servers. The general rule for a stable WEC server on\r\ncommodity hardware is planning for a total of 3,000 events per second on average for all configured subscriptions.\r\nDisk I/O. The WEC server doesn't process or validate the received event, but rather buffers the received\r\nevent and then logs it to a local event log file (EVTX file). The speed of logging to the EVTX file is\r\nlimited by the disk write speed. Isolating the EVTX file to its own array or using high speed disks can\r\nincrease the number of events per second that a single WEC server can receive.\r\nNetwork Connections. While a WEF source doesn't maintain a permanent, persistent connection to the\r\nWEC server, it doesn't immediately disconnect after sending its events. This leniency means that the\r\nnumber of WEF sources that can simultaneously connect to the WEC server is limited to the open TCP\r\nports available on the WEC server.\r\nRegistry size. For each unique device that connects to a WEF subscription, there's a registry key\r\n(corresponding to the FQDN of the WEF Client) created to store bookmark and source heartbeat\r\ninformation. If this information isn't pruned to remove inactive clients, this set of registry keys can grow to\r\nan unmanageable size over time.\r\nWhen a subscription has \u003e1000 WEF sources connect to it over its operational lifetime, also known\r\nas lifetime WEF sources, Event Viewer can become unresponsive for a few minutes when selecting\r\nthe Subscriptions node in the left-navigation, but will function normally afterwards.\r\nAt \u003e50,000 lifetime WEF sources, Event Viewer is no longer an option and wecutil.exe (included\r\nwith Windows) must be used to configure and manage subscriptions.\r\nAt \u003e100,000 lifetime WEF sources, the registry won't be readable and the WEC server will likely\r\nhave to be rebuilt.\r\nSubscription information\r\nBelow lists all of the items that each subscription collects, the actual subscription XML is available in an\r\nAppendix. These items are separated out into Baseline and Targeted. The intent is to subscribe all hosts to\r\nBaseline, and then enroll (and remove) hosts on an as needed basis to the Targeted subscription.\r\nBaseline subscription\r\nWhile this subscription appears to be the largest subscription, it really is the lowest volume on a per-device basis.\r\n(Exceptions should be allowed for unusual devices - a device performing complex developer related tasks can be\r\nexpected to create an unusually high volume of process create and AppLocker events.) This subscription doesn't\r\nrequire special configuration on client devices to enable event channels or modify channel permissions.\r\nThe subscription is essentially a collection of query statements applied to the Event Log. This subscription means\r\nthat it's modular in nature and a given query statement can be removed or changed without impacting other query\r\nstatement in the subscription. Additionally, suppress statements that filter out specific events, only apply within\r\nthat query statement and aren't to the entire subscription.\r\nBaseline subscription requirements\r\nhttps://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection\r\nPage 6 of 21\n\nTo gain the most value out of the baseline subscription, we recommend having the following requirements set on\r\nthe device to ensure that the clients are already generating the required events to be forwarded off the system.\r\nApply a security audit policy that is a super-set of the recommended minimum audit policy. For more info,\r\nsee Appendix A - Minimum Recommended minimum Audit Policy. This policy ensures that the security\r\nevent log is generating the required events.\r\nApply at least an Audit-Only AppLocker policy to devices.\r\nIf you're already allowing or restricting events by using AppLocker, then this requirement is met.\r\nAppLocker events contain useful information, such as file hash and digital signature information for\r\nexecutables and scripts.\r\nEnable disabled event channels and set the minimum size for modern event files.\r\nCurrently, there's no GPO template for enabling or setting the maximum size for the modern event files.\r\nThis threshold must be defined by using a GPO. For more info, see Appendix C - Event Channel Settings\r\n(enable and Channel Access) methods.\r\nThe annotated event query can be found in the following. For more info, see Appendix F - Annotated Suspect\r\nSubscription Event Query.\r\nAnti-malware events from Windows Security. These events can be configured for any given anti-malware\r\nproduct easily if it writes to the Windows event log.\r\nSecurity event log Process Create events.\r\nAppLocker Process Create events (EXE, script, packaged App installation and execution).\r\nRegistry modification events. For more info, see Appendix B - Recommended minimum Registry System\r\nACL Policy.\r\nOS startup and shutdown\r\nStartup events include operating system version, service pack level, QFE version, and boot mode.\r\nService install\r\nIncludes what the name of the service, the image path, and who installed the service.\r\nCertificate Authority audit events\r\nThese events are only applicable on systems with the Certificate Authority role installed.\r\nLogs certificate requests and responses.\r\nUser profile events\r\nUse of a temporary profile or unable to create a user profile may indicate an intruder is interactively\r\nlogging into a device but not wanting to leave a persistent profile behind.\r\nhttps://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection\r\nPage 7 of 21\n\nService start failure\r\nFailure codes are localized, so you have to check the message DLL for values.\r\nNetwork share access events\r\nFilter out IPC$ and /NetLogon file shares, which are expected and noisy.\r\nSystem shutdown initiate requests\r\nFind out what initiated the restart of a device.\r\nUser-initiated interactive sign out event\r\nRemote Desktop Services sessions connect, reconnect, or disconnect.\r\nEMET events, if EMET is installed.\r\nEvent forwarding plugin events\r\nFor monitoring WEF subscription operations, such as Partial Success events. This event is useful for\r\ndiagnosing deployment issues.\r\nNetwork share creation and deletion\r\nEnables detection of unauthorized share creation.\r\nNote\r\nAll shares are re-created when the device starts.\r\nSign-in sessions\r\nSign-in success for interactive (local and Remote Interactive/Remote Desktop)\r\nSign-in success for services for non-built-in accounts, such as LocalSystem, LocalNetwork, and so\r\non.\r\nSign-in success for batch sessions\r\nSign-in session close, which is sign out events for non-network sessions.\r\nWindows Error Reporting (Application crash events only)\r\nThis session can help detect early signs of intruder not familiar with enterprise environment using\r\ntargeted malware.\r\nEvent log service events\r\nErrors, start events, and stop events for the Windows Event Log service.\r\nEvent log cleared (including the Security Event Log)\r\nhttps://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection\r\nPage 8 of 21\n\nThis event could indicate an intruder that is covering their tracks.\r\nSpecial privileges assigned to new sign in\r\nThis assignation indicates that at the time of signing in, a user is either an Administrator or has the\r\nsufficient access to make themselves Administrator.\r\nOutbound Remote Desktop Services session attempts\r\nVisibility into potential beachhead for intruder\r\nSystem time changed\r\nSMB Client (mapped drive connections)\r\nAccount credential validation\r\nLocal accounts or domain accounts on domain controllers\r\nA user was added or removed from the local Administrators security group.\r\nCrypto API private key accessed\r\nAssociated with signing objects using the locally stored private key.\r\nTask Scheduler task creation and delete\r\nTask Scheduler allows intruders to run code at specified times as LocalSystem.\r\nSign-in with explicit credentials\r\nDetect credential use changes by intruders to access more resources.\r\nSmartcard card holder verification events\r\nThis event detects when a smartcard is being used.\r\nSuspect subscription\r\nThis subscription adds some possible intruder-related activity to help analyst further refine their determinations\r\nabout the state of the device.\r\nSign-in session creation for network sessions\r\nEnables time-series analysis of network graphs.\r\nRADIUS and VPN events\r\nUseful if you use a Microsoft IAS RADIUS/VPN implementation. It shows user-\u003e IP address\r\nassignment with remote IP address connecting to the enterprise.\r\nhttps://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection\r\nPage 9 of 21\n\nCrypto API X509 object and build chain events\r\nDetects known bad certificate, CA, or sub-CA\r\nDetects unusual process use of CAPI\r\nGroups assigned to local sign in\r\nGives visibility to groups that enable account-wide access\r\nAllows better planning for remediation efforts\r\nExcludes well known, built-in system accounts.\r\nSign-in session exit\r\nSpecific for network sign-in sessions.\r\nClient DNS lookup events\r\nReturns what process performed a DNS query and the results returned from the DNS server.\r\nProcess exit\r\nEnables checking for processes terminating unexpectedly.\r\nLocal credential validation or signing in with explicit credentials\r\nGenerated when the local SAM is authoritative for the account credentials being authenticated.\r\nNoisy on domain controllers\r\nOn client devices, it's only generated when local accounts sign in.\r\nRegistry modification audit events\r\nOnly when a registry value is being created, modified, or deleted.\r\nWireless 802.1x authentication\r\nDetect wireless connection with a peer MAC address\r\nWindows PowerShell logging\r\nCovers Windows PowerShell 2.0 and later and includes the Windows PowerShell 5.0 logging\r\nimprovements for in-memory attacks using Windows PowerShell.\r\nIncludes Windows PowerShell remoting logging\r\nUser Mode Driver Framework \"Driver Loaded\" event\r\nCan possibly detect a USB device loading multiple device drivers. For example, a USB_STOR\r\ndevice loading the keyboard or network driver.\r\nAppendix A - Minimum recommended minimum audit policy\r\nhttps://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection\r\nPage 10 of 21\n\nIf your organizational audit policy enables more auditing to meet its needs, that is fine. The policy below is the\r\nminimum audit policy settings needed to enable events collected by both baseline and targeted subscriptions.\r\nCategory Subcategory Audit settings\r\nAccount Logon Credential Validation Success and Failure\r\nAccount Management Security Group Management Success\r\nAccount Management User Account Management Success and Failure\r\nAccount Management Computer Account Management Success and Failure\r\nAccount Management Other Account Management Events Success and Failure\r\nDetailed Tracking Process Creation Success\r\nDetailed Tracking Process Termination Success\r\nLogon/Logoff User/Device Claims Not configured\r\nLogon/Logoff IPsec Extended Mode Not configured\r\nLogon/Logoff IPsec Quick Mode Not configured\r\nLogon/Logoff Logon Success and Failure\r\nLogon/Logoff Logoff Success\r\nLogon/Logoff Other Logon/Logoff Events Success and Failure\r\nLogon/Logoff Special Logon Success and Failure\r\nLogon/Logoff Account Lockout Success\r\nObject Access Application Generated Not configured\r\nObject Access File Share Success\r\nObject Access File System Not configured\r\nObject Access Other Object Access Events Not configured\r\nObject Access Registry Not configured\r\nObject Access Removable Storage Success\r\nPolicy Change Audit Policy Change Success and Failure\r\nPolicy Change MPSSVC Rule-Level Policy Change Success and Failure\r\nPolicy Change Other Policy Change Events Success and Failure\r\nhttps://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection\r\nPage 11 of 21\n\nCategory Subcategory Audit settings\r\nPolicy Change Authentication Policy Change Success and Failure\r\nPolicy Change Authorization Policy Change Success and Failure\r\nPrivilege Use Sensitive Privilege Use Not configured\r\nSystem Security State Change Success and Failure\r\nSystem Security System Extension Success and Failure\r\nSystem System Integrity Success and Failure\r\nAppendix B - Recommended minimum registry system ACL policy\r\nThe Run and RunOnce keys are useful for intruders and malware persistence. It allows code to be run (or run only\r\nonce then removed, respectively) when a user signs in to the system.\r\nThis implication can easily be extended to other Auto-Execution Start Points keys in the registry.\r\nUse the following figures to see how you can configure those registry keys.\r\nAppendix C - Event channel settings (enable and channel access) methods\r\nhttps://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection\r\nPage 12 of 21\n\nSome channels are disabled by default and have to be enabled. Others, such as Microsoft-Windows-CAPI2/Operational must have the channel access modified to allow the Event Log Readers built-in security group\r\nto read from it.\r\nThe recommended and most effective way to do this customization is configuring the baseline GPO to run a\r\nscheduled task to configure the event channels (enable, set maximum size, and adjust channel access). This\r\nconfiguration will take effect at the next GPO refresh cycle and has minimal impact on the client device.\r\nThe following GPO snippet performs the following tasks:\r\nEnables the Microsoft-Windows-Capi2/Operational event channel.\r\nSets the maximum file size for Microsoft-Windows-Capi2/Operational to 100MB.\r\nSets the maximum file size for Microsoft-Windows-AppLocker/EXE and DLL to 100 MB.\r\nSets the maximum channel access for Microsoft-Windows-Capi2/Operational to include the built-in\r\nEvent Log Readers security group.\r\nEnables the Microsoft-Windows-DriverFrameworks-UserMode/Operational event channel.\r\nSets the maximum file size for Microsoft-Windows-DriverFrameworks-UserMode/Operational to 50\r\nMB.\r\nhttps://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection\r\nPage 13 of 21\n\nThe following table also contains the six actions to configure in the GPO:\r\nhttps://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection\r\nPage 14 of 21\n\nProgram/Script Arguments\r\n%SystemRoot%\\System32\\wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true\r\n%SystemRoot%\\System32\\wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /ms:102432768\r\n%SystemRoot%\\System32\\wevtutil.exe\r\nsl \"Microsoft-Windows-AppLocker/EXE and DLL\"\r\n/ms:102432768\r\n%SystemRoot%\\System32\\wevtutil.exe\r\nsl Microsoft-Windows-CAPI2/Operational /ca:\"O:BAG:SYD:\r\n(A;;0x7;;;BA)(A;;0x2;;;AU)(A;;0x1;;;S-1-5-32-573)\"\r\n%SystemRoot%\\System32\\wevtutil.exe\r\nsl \"Microsoft-Windows-DriverFrameworks-UserMode/Operational\" /e:true\r\n%SystemRoot%\\System32\\wevtutil.exe\r\nsl \"Microsoft-Windows-DriverFrameworks-UserMode/Operational\" /ms:52432896\r\nAppendix D - Minimum GPO for WEF Client configuration\r\nHere are the minimum steps for WEF to operate:\r\n1. Configure the collector URI(s).\r\n2. Start the WinRM service.\r\n3. Add the Network Service account to the built-in Event Log Readers security group. This addition allows\r\nreading from secured event channel, such as the security event channel.\r\nhttps://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection\r\nPage 15 of 21\n\nAppendix E - Annotated baseline subscription event query\r\n\u003cQueryList\u003e\r\n \u003cQuery Id=\"0\" Path=\"System\"\u003e\r\n \u003c!-- Anti-malware *old* events, but only detect events (cuts down noise) --\u003e\r\n \u003cSelect Path=\"System\"\u003e*[System[Provider[@Name='Microsoft Antimalware'] and (EventID \u0026gt;= 1116 and EventID \u0026\r\n \u003c/Query\u003e\r\n \u003c!-- AppLocker EXE events or Script events --\u003e\r\n \u003cQuery Id=\"1\" Path=\"Microsoft-Windows-AppLocker/EXE and DLL\"\u003e\r\n \u003cSelect Path=\"Microsoft-Windows-AppLocker/EXE and DLL\"\u003e*[UserData[RuleAndFileData[PolicyName=\"EXE\"]]]\u003c/Selec\r\n \u003cSelect Path=\"Microsoft-Windows-AppLocker/MSI and Script\"\u003e*\u003c/Select\u003e\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"2\" Path=\"Security\"\u003e\r\n \u003c!-- Wireless Lan 802.1x authentication events with Peer MAC address --\u003e\r\n \u003cSelect Path=\"Security\"\u003e*[System[(EventID=5632)]]\u003c/Select\u003e\r\nhttps://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection\r\nPage 16 of 21\n\n\u003c/Query\u003e\r\n \u003cQuery Id=\"3\" Path=\"Microsoft-Windows-TaskScheduler/Operational\"\u003e\r\n \u003c!-- Task scheduler Task Registered (106), Task Registration Deleted (141), Task Deleted (142) --\u003e\r\n \u003cSelect Path=\"Microsoft-Windows-TaskScheduler/Operational\"\u003e*[System[Provider[@Name='Microsoft-Windows-TaskSc\r\n \u003cSelect Path=\"System\"\u003e*[System[Provider[@Name='Microsoft-Windows-TaskScheduler'] and (EventID=106 or EventID\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"4\" Path=\"System\"\u003e\r\n \u003c!-- System startup (12 - includes OS/SP/Version) and shutdown --\u003e\r\n \u003cSelect Path=\"System\"\u003e*[System[Provider[@Name='Microsoft-Windows-Kernel-General'] and (EventID=12 or EventID\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"5\" Path=\"System\"\u003e\r\n \u003c!-- Service Install (7000), service start failure (7045), new service (4697) --\u003e\r\n \u003cSelect Path=\"System\"\u003e*[System[Provider[@Name='Service Control Manager'] and (EventID = 7000 or EventID=7045\r\n\u003cSelect Path=\"Security\"\u003e*[System[(EventID=4697)]]\u003c/Select\u003e\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"6\" Path=\"Security\"\u003e\r\n \u003c!-- TS Session reconnect (4778), TS Session disconnect (4779) --\u003e\r\n \u003cSelect Path=\"Security\"\u003e*[System[(EventID=4778 or EventID=4779)]]\u003c/Select\u003e\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"7\" Path=\"Security\"\u003e\r\n \u003c!-- Network share object access without IPC$ and Netlogon shares --\u003e\r\n \u003cSelect Path=\"Security\"\u003e*[System[(EventID=5140)]] and (*[EventData[Data[@Name=\"ShareName\"]!=\"\\\\*\\IPC$\"]]) an\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"8\" Path=\"Security\"\u003e\r\n \u003c!-- System Time Change (4616) --\u003e\r\n \u003cSelect Path=\"Security\"\u003e*[System[(EventID=4616)]]\u003c/Select\u003e\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"9\" Path=\"System\"\u003e\r\n \u003c!-- Shutdown initiate requests, with user, process and reason (if supplied) --\u003e\r\n \u003cSelect Path=\"System\"\u003e*[System[Provider[@Name='USER32'] and (EventID=1074)]]\u003c/Select\u003e\r\n \u003c/Query\u003e\r\n \u003c!-- AppLocker packaged (Modern UI) app execution --\u003e\r\n \u003cQuery Id=\"10\" Path=\"Microsoft-Windows-AppLocker/Packaged app-Execution\"\u003e\r\n \u003cSelect Path=\"Microsoft-Windows-AppLocker/Packaged app-Execution\"\u003e*\u003c/Select\u003e\r\n \u003c/Query\u003e\r\n \u003c!-- AppLocker packaged (Modern UI) app installation --\u003e\r\n \u003cQuery Id=\"11\" Path=\"Microsoft-Windows-AppLocker/Packaged app-Deployment\"\u003e\r\n \u003cSelect Path=\"Microsoft-Windows-AppLocker/Packaged app-Deployment\"\u003e*\u003c/Select\u003e\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"12\" Path=\"Application\"\u003e\r\n \u003c!-- EMET events --\u003e\r\n \u003cSelect Path=\"Application\"\u003e*[System[Provider[@Name='EMET']]]\u003c/Select\u003e\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"13\" Path=\"System\"\u003e\r\n \u003c!-- Event log service events --\u003e\r\n \u003cSelect Path=\"System\"\u003e*[System[Provider[@Name='Microsoft-Windows-Eventlog']]]\u003c/Select\u003e\r\n \u003c/Query\u003e\r\nhttps://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection\r\nPage 17 of 21\n\n\u003cQuery Id=\"14\" Path=\"Security\"\u003e\r\n \u003c!-- Local logons without network or service events --\u003e\r\n \u003cSelect Path=\"Security\"\u003e*[System[(EventID=4624)]] and (*[EventData[Data[@Name=\"LogonType\"]!=\"3\"]]) and (*[Ev\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"15\" Path=\"Application\"\u003e\r\n \u003c!-- WER events for application crashes only --\u003e\r\n \u003cSelect Path=\"Application\"\u003e*[System[Provider[@Name='Windows Error Reporting']]] and (*[EventData[Data[3] =\"A\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"16\" Path=\"Security\"\u003e\r\n \u003c!-- Security Log cleared events (1102), EventLog Service shutdown (1100)--\u003e\r\n \u003cSelect Path=\"Security\"\u003e*[System[(EventID=1102 or EventID = 1100)]]\u003c/Select\u003e\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"17\" Path=\"System\"\u003e\r\n \u003c!-- Other Log cleared events (104)--\u003e\r\n \u003cSelect Path=\"System\"\u003e*[System[(EventID=104)]]\u003c/Select\u003e\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"18\" Path=\"Security\"\u003e\r\n \u003c!-- user initiated logoff --\u003e\r\n \u003cSelect Path=\"Security\"\u003e*[System[(EventID=4647)]]\u003c/Select\u003e\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"19\" Path=\"Security\"\u003e\r\n \u003c!-- user logoff for all non-network logon sessions--\u003e\r\n \u003cSelect Path=\"Security\"\u003e*[System[(EventID=4634)]] and (*[EventData[Data[@Name=\"LogonType\"] != \"3\"]])\u003c/Select\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"20\" Path=\"Security\"\u003e\r\n \u003c!-- Service logon events if the user account isn't LocalSystem, NetworkService, LocalService --\u003e\r\n \u003cSelect Path=\"Security\"\u003e*[System[(EventID=4624)]] and (*[EventData[Data[@Name=\"LogonType\"]=\"5\"]]) and (*[Eve\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"21\" Path=\"Security\"\u003e\r\n \u003c!-- Network Share create (5142), Network Share Delete (5144) --\u003e\r\n \u003cSelect Path=\"Security\"\u003e*[System[(EventID=5142 or EventID=5144)]]\u003c/Select\u003e\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"22\" Path=\"Security\"\u003e\r\n \u003c!-- Process Create (4688) --\u003e\r\n \u003cSelect Path=\"Security\"\u003e*[System[EventID=4688]]\u003c/Select\u003e\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"23\" Path=\"Security\"\u003e\r\n \u003c!-- Event log service events specific to Security channel --\u003e\r\n \u003cSelect Path=\"Security\"\u003e*[System[Provider[@Name='Microsoft-Windows-Eventlog']]]\u003c/Select\u003e\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"26\" Path=\"Security\"\u003e\r\n \u003c!-- Special Privileges (Admin-equivalent Access) assigned to new logon, excluding LocalSystem--\u003e\r\n \u003cSelect Path=\"Security\"\u003e*[System[(EventID=4672)]]\u003c/Select\u003e\r\n \u003cSuppress Path=\"Security\"\u003e*[EventData[Data[1]=\"S-1-5-18\"]]\u003c/Suppress\u003e\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"27\" Path=\"Security\"\u003e\r\n \u003c!-- New user added to local security group--\u003e\r\nhttps://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection\r\nPage 18 of 21\n\n\u003cSelect Path=\"Security\"\u003e*[System[(EventID=4732)]]\u003c/Select\u003e\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"28\" Path=\"Security\"\u003e\r\n \u003c!-- New user added to global security group--\u003e\r\n \u003cSelect Path=\"Security\"\u003e*[System[(EventID=4728)]]\u003c/Select\u003e\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"29\" Path=\"Security\"\u003e\r\n \u003c!-- New user added to universal security group--\u003e\r\n \u003cSelect Path=\"Security\"\u003e*[System[(EventID=4756)]]\u003c/Select\u003e\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"30\" Path=\"Security\"\u003e\r\n \u003c!-- User removed from local Administrators group--\u003e\r\n \u003cSelect Path=\"Security\"\u003e*[System[(EventID=4733)]] and (*[EventData[Data[@Name=\"TargetUserName\"]=\"Administrat\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"31\" Path=\"Microsoft-Windows-TerminalServices-RDPClient/Operational\"\u003e\r\n \u003c!-- Log attempted TS connect to remote server --\u003e\r\n \u003cSelect Path=\"Microsoft-Windows-TerminalServices-RDPClient/Operational\"\u003e*[System[(EventID=1024)]]\u003c/Select\u003e\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"32\" Path=\"Security\"\u003e\r\n \u003c!-- Certificate Services received certificate request (4886), Approved and Certificate issued (4887), Denie\r\n \u003cSelect Path=\"Security\"\u003e*[System[(EventID=4886 or EventID=4887 or EventID=4888)]]\u003c/Select\u003e\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"34\" Path=\"Security\"\u003e\r\n \u003c!-- New User Account Created(4720), User Account Enabled (4722), User Account Disabled (4725), User Account\r\n \u003cSelect Path=\"Security\"\u003e*[System[(EventID=4720 or EventID=4722 or EventID=4725 or EventID=4726)]]\u003c/Select\u003e\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"35\" Path=\"Microsoft-Windows-SmartCard-Audit/Authentication\"\u003e\r\n \u003c!-- Gets all Smart-card Card-Holder Verification (CHV) events (success and failure) performed on the host.\r\n \u003cSelect Path=\"Microsoft-Windows-SmartCard-Audit/Authentication\"\u003e*\u003c/Select\u003e\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"36\" Path=\"Microsoft-Windows-SMBClient/Operational\"\u003e\r\n \u003c!-- get all UNC/mapped drive successful connection --\u003e\r\n \u003cSelect Path=\"Microsoft-Windows-SMBClient/Operational\"\u003e*[System[(EventID=30622 or EventID=30624)]]\u003c/Select\u003e\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"37\" Path=\"Application\"\u003e\r\n \u003c!-- User logging on with Temporary profile (1511), cannot create profile, using temporary profile (1518)--\u003e\r\n \u003cSelect Path=\"Application\"\u003e*[System[Provider[@Name='Microsoft-Windows-User Profiles Service'] and (EventID=1\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"39\" Path=\"Microsoft-Windows-Sysmon/Operational\"\u003e\r\n \u003c!-- Modern SysMon event provider--\u003e\r\n \u003cSelect Path=\"Microsoft-Windows-Sysmon/Operational\"\u003e*\u003c/Select\u003e\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"40\" Path=\"Application\"\u003e\r\n \u003c!-- Application crash/hang events, similar to WER/1001. These include full path to faulting EXE/Module.--\u003e\r\n \u003cSelect Path=\"Application\"\u003e*[System[Provider[@Name='Application Error'] and (EventID=1000)]]\u003c/Select\u003e\r\n \u003cSelect Path=\"Application\"\u003e*[System[Provider[@Name='Application Hang'] and (EventID=1002)]]\u003c/Select\u003e\r\n \u003c/Query\u003e\r\nhttps://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection\r\nPage 19 of 21\n\n\u003cQuery Id=\"41\" Path=\"Microsoft-Windows-Windows Defender/Operational\"\u003e\r\n \u003c!-- Modern Windows Defender event provider Detection events (1006-1009) and (1116-1119) --\u003e\r\n \u003cSelect Path=\"Microsoft-Windows-Windows Defender/Operational\"\u003e*[System[( (EventID \u0026gt;= 1006 and EventID \u0026lt\r\n \u003cSelect Path=\"Microsoft-Windows-Windows Defender/Operational\"\u003e*[System[( (EventID \u0026gt;= 1116 and EventID \u0026lt\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"42\" Path=\"Security\"\u003e\r\n \u003c!-- An account Failed to Log on events --\u003e\r\n \u003cSelect Path=\"Security\"\u003e*[System[(EventID=4625)]] and (*[EventData[Data[@Name=\"LogonType\"]!=\"2\"]]) \u003c/Select\u003e\r\n \u003c/Query\u003e\r\n\u003c/QueryList\u003e\r\nAppendix F - Annotated Suspect Subscription Event Query\r\n\u003cQueryList\u003e\r\n \u003cQuery Id=\"0\" Path=\"Security\"\u003e\r\n \u003c!-- Network logon events--\u003e\r\n \u003cSelect Path=\"Security\"\u003e*[System[(EventID=4624)]] and (*[EventData[Data[@Name=\"LogonType\"]=\"3\"]])\u003c/Select\u003e\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"1\" Path=\"System\"\u003e\r\n \u003c!-- RADIUS authentication events User Assigned IP address (20274), User successfully authenticated (20250),\r\n \u003cSelect Path=\"System\"\u003e*[System[Provider[@Name='RemoteAccess'] and (EventID=20274 or EventID=20250 or EventID\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"2\" Path=\"Microsoft-Windows-CAPI2/Operational\"\u003e\r\n \u003c!-- CAPI events Build Chain (11), Private Key accessed (70), X509 object (90)--\u003e\r\n \u003cSelect Path=\"Microsoft-Windows-CAPI2/Operational\"\u003e*[System[(EventID=11 or EventID=70 or EventID=90)]]\u003c/Sele\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"3\" Path=\"Security\"\u003e\r\n \u003c!-- CA stop/Start events CA Service Stopped (4880), CA Service Started (4881), CA DB row(s) deleted (4896),\r\n \u003cSelect Path=\"Security\"\u003e*[System[(EventID=4880 or EventID = 4881 or EventID = 4896 or EventID = 4898)]]\u003c/Sel\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"4\" Path=\"Microsoft-Windows-LSA/Operational\"\u003e\r\n \u003c!-- Groups assigned to new login (except for well known, built-in accounts)--\u003e\r\n \u003cSelect Path=\"Microsoft-Windows-LSA/Operational\"\u003e*[System[(EventID=300)]] and (*[EventData[Data[@Name=\"Targe\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"5\" Path=\"Security\"\u003e\r\n \u003c!-- Logoff events - for Network Logon events--\u003e\r\n \u003cSelect Path=\"Security\"\u003e*[System[(EventID=4634)]] and (*[EventData[Data[@Name=\"LogonType\"] = \"3\"]])\u003c/Select\u003e\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"6\" Path=\"Security\"\u003e\r\n \u003c!-- RRAS events - only generated on Microsoft IAS server --\u003e\r\n \u003cSelect Path=\"Security\"\u003e*[System[( (EventID \u0026gt;= 6272 and EventID \u0026lt;= 6280) )]]\u003c/Select\u003e\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"7\" Path=\"Microsoft-Windows-DNS-Client/Operational\"\u003e\r\n \u003c!-- DNS Client events Query Completed (3008) --\u003e\r\n \u003cSelect Path=\"Microsoft-Windows-DNS-Client/Operational\"\u003e*[System[(EventID=3008)]]\u003c/Select\u003e\r\nhttps://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection\r\nPage 20 of 21\n\n\u003c!-- suppresses local machine name resolution events --\u003e\r\n\u003cSuppress Path=\"Microsoft-Windows-DNS-Client/Operational\"\u003e*[EventData[Data[@Name=\"QueryOptions\"]=\"14073748835532\r\n\u003c!-- suppresses empty name resolution events --\u003e\r\n\u003cSuppress Path=\"Microsoft-Windows-DNS-Client/Operational\"\u003e*[EventData[Data[@Name=\"QueryResults\"]=\"\"]]\u003c/Suppress\u003e\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"8\" Path=\"Security\"\u003e\r\n \u003c!-- Process Terminate (4689) --\u003e\r\n \u003cSelect Path=\"Security\"\u003e*[System[(EventID = 4689)]]\u003c/Select\u003e\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"9\" Path=\"Security\"\u003e\r\n \u003c!-- Local credential authentication events (4776), Logon with explicit credentials (4648) --\u003e\r\n \u003cSelect Path=\"Security\"\u003e*[System[(EventID=4776 or EventID=4648)]]\u003c/Select\u003e\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"10\" Path=\"Security\"\u003e\r\n \u003c!-- Registry modified events for Operations: New Registry Value created (%%1904), Existing Registry Value m\r\n \u003cSelect Path=\"Security\"\u003e*[System[(EventID=4657)]] and ((*[EventData[Data[@Name=\"OperationType\"] = \"%%1904\"]]\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"11\" Path=\"Security\"\u003e\r\n \u003c!-- Request made to authenticate to Wireless network (including Peer MAC (5632) --\u003e\r\n \u003cSelect Path=\"Security\"\u003e*[System[(EventID=5632)]]\u003c/Select\u003e\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"12\" Path=\"Microsoft-Windows-PowerShell/Operational\"\u003e\r\n \u003c!-- PowerShell execute block activity (4103), Remote Command(4104), Start Command(4105), Stop Command(4106)\r\n \u003cSelect Path=\"Microsoft-Windows-PowerShell/Operational\"\u003e*[System[(EventID=4103 or EventID=4104 or EventID=41\r\n \u003c/Query\u003e\r\n \u003cQuery Id=\"13\" Path=\"Microsoft-Windows-DriverFrameworks-UserMode/Operational\"\u003e\r\n \u003c!-- Detect User-Mode drivers loaded - for potential BadUSB detection. --\u003e\r\n \u003cSelect Path=\"Microsoft-Windows-DriverFrameworks-UserMode/Operational\"\u003e*[System[(EventID=2004)]]\u003c/Select\u003e\r\n \u003c/Query\u003e\r\n\u003cQuery Id=\"14\" Path=\"Windows PowerShell\"\u003e\r\n \u003c!-- Legacy PowerShell pipeline execution details (800) --\u003e\r\n \u003cSelect Path=\"Windows PowerShell\"\u003e*[System[(EventID=800)]]\u003c/Select\u003e\r\n \u003c/Query\u003e\r\n\u003c/QueryList\u003e\r\nAppendix G - Online resources\r\nYou can get more info with the following links:\r\nEvent Selection\r\nEvent Queries and Event XML\r\nEvent Query Schema\r\nWindows Event Collector\r\nSource: https://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection\r\nhttps://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection\r\nPage 21 of 21",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection"
	],
	"report_names": [
		"use-windows-event-forwarding-to-assist-in-intrusion-detection"
	],
	"threat_actors": [],
	"ts_created_at": 1775434159,
	"ts_updated_at": 1775826773,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/47162b22900b14adf70c7da3865eaff6557b4cf8.pdf",
		"text": "https://archive.orkl.eu/47162b22900b14adf70c7da3865eaff6557b4cf8.txt",
		"img": "https://archive.orkl.eu/47162b22900b14adf70c7da3865eaff6557b4cf8.jpg"
	}
}