This is intended to be a launch page for links to a number of resources regarding Windows Event Forwarding (WEF)

Intrusion Detection

Use Windows Event Forwarding to help with intrusion detection

This is a very comprehensive paper covering WEF in detail written by internal engineers at MSFT that utilize WEF at an extremely large scale ~700k clients.

Even though the title says intrusion detection the bulk of the paper is about operational WEF and should be read if you are planning on utilizing WEF.

Whitepaper & Guidance

NSA's Whitepaper on spotting lateral movement via WEF along with the GitHub they host and the scripts etc to implement the guidance.

Basic WEF guide

Monitoring what matters:


Ignite Presentation on WEF :

Microsoft Virtual Academy

session on Windows Event Forwarding:

Build a fast, free, and effective Threat Hunting/Incident Response Console with Windows Event Forwarding and PowerBI

Knowledge base

Detailed descriptions of all the events and Event IDs in Advanced Audit Policy Settings and what they mean:


Tracking LAM

Tracking Lateral Account Movement / Special Groups Monitoring :

XPath and Subscription Filters

Creating Custom Windows Event Forwarding Logs

Setting up Tiered Forwarders

WEF Event IDs