This is intended to be a launch page for links to a number of resources regarding Windows Event Forwarding (WEF)

Use Windows Event Forwarding to help with intrusion detection


https://docs.microsoft.com/en-us/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection

This is a very comprehensive paper covering WEF in detail written by internal engineers at MSFT that utilize WEF at an extremely large scale ~700k clients.

Even though the title says intrusion detection the bulk of the paper is about operational WEF and should be read if you are planning on utilizing WEF.

NSA's Whitepaper on spotting lateral movement via WEF along with the GitHub they host and the scripts etc to implement the guidance.


https://www.iad.gov/iad/library/ia-guidance/security-configuration/applications/spotting-the-adversary-with-windows-event-log-monitoring.cfm

https://github.com/iadgov/Event-Forwarding-Guidance

Ignite Presentation on WEF :


https://channel9.msdn.com/Events/Ignite/Australia-2015/INF327

Monitoring what matters, basic WEF guide :


https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem/

Microsoft Virtual Academy session on Windows Event Forwarding:


https://mva.microsoft.com/en-US/training-courses/event-forwarding-and-log-analysis-16506

Build a fast, free, and effective Threat Hunting/Incident Response Console with Windows Event Forwarding and PowerBI
https://aka.ms/weffles

Tracking Lateral Account Movement / Special Groups Monitoring :


https://blogs.technet.microsoft.com/jepayne/2015/11/26/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts/

Detailed descriptions of all the events and Event IDs in Advanced Audit Policy Settings and what they mean:


https://support.microsoft.com/en-us/kb/977519


XPath and Subscription Filters

https://blogs.technet.microsoft.com/kfalde/2015/05/27/some-posh-to-help-with-evt-xpath-filter-creations/

https://blogs.technet.microsoft.com/kfalde/2014/03/24/xpath-event-log-filtering/


http://blog.backslasher.net/filtering-windows-event-log-using-xpath.html

Setting up Tiered Forwarders


https://blogs.msdn.microsoft.com/canberrapfe/2015/09/21/diy-client-monitoring-setting-up-tiered-event-forwarding/

WEF Event ID's


http://social.technet.microsoft.com/wiki/contents/articles/34169.wef-event-id-s.aspx


Creating Custom Windows Event Forwarding Logs


https://blogs.technet.microsoft.com/russellt/2016/05/18/creating-custom-windows-event-forwarding-logs/