If you have been following along with this project you should be at the stage where you have WEF configured through group policy forwarding events using WinRM to push from endpoints, with nxlog installed and forwarding Events to a Graylog server. We also covered installing and configuring Sysmon. Our test environment looks like this.
We have discussed some basic subscriptions setups but now we are ready to fine tune things and quiet some of the noise for our alerting. Don’t forget this setup can be implemented in many different ways depending on your end goal. If it’s simply to store and collect as many logs as you can then you need to consider and test how you scale that up and making sure you have the resources. Here however we are looking to configure only events that we would be interested in from a security standpoint. Too many logs in this case is the enemy. You need concise targeted logging allowing you to see what is important straight away and react quickly.
Microsoft has a great resource here https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l–events-to-monitor which lists EventIDs and gives a brief explanation.
Some of these resources are also definitely worth a look, don’t just blindly follow online tutorials……….. go away and do a bit of homework so you understand what you’re doing. https://github.com/jepayneMSFT/WEFFLES https://github.com/ukncsc/lme
@2codemonte 