This is intended to be a launch page for links to a number of resources regarding Windows Event Forwarding (WEF)

Use Windows Event Forwarding to help with intrusion detection

This is a very comprehensive paper covering WEF in detail written by internal engineers at MSFT that utilize WEF at an extremely large scale ~700k clients.

Even though the title says intrusion detection the bulk of the paper is about operational WEF and should be read if you are planning on utilizing WEF.

NSA's Whitepaper on spotting lateral movement via WEF along with the GitHub they host and the scripts etc to implement the guidance.

Ignite Presentation on WEF :

Monitoring what matters, basic WEF guide :

Microsoft Virtual Academy session on Windows Event Forwarding:

Build a fast, free, and effective Threat Hunting/Incident Response Console with Windows Event Forwarding and PowerBI

Tracking Lateral Account Movement / Special Groups Monitoring :

Detailed descriptions of all the events and Event IDs in Advanced Audit Policy Settings and what they mean:

XPath and Subscription Filters

Setting up Tiered Forwarders

WEF Event ID's

Creating Custom Windows Event Forwarding Logs