I apologize if this is not the proper avenue, but it was the only one I could recognize. Is it listed anywhere what the baseline audit/advanced audit policy settings/GPOs that need to be in place in order for all these event IDs to exist in the first place (ex. Microsoft Recommended baseline, or secure audit policy settings, or perhaps audit policy settings specific to this repo. -Cliff, CISSP

At least on Windows Server 2016, the name of the ETW Provider is Microsoft-Windows-CertificateServicesClient-Lifecycle-System with GUID BC0669E1-A10D-4A78-834E-1CA3C806C93B.

In https://github.com/nsacyber/Event-Forwarding-Guidance/tree/master/Events it is Microsoft-Windows-CertificateServicesClientLifecycle-System for the EventSource

Event with ID = 7045 from System log has incorrect source in section "Software and Service Installation" of "Recommended Events to Collect" document.
Correct source for this event is "Service Control Manager":

• Provider
  [ Name] Service Control Manager
  [ Guid] {555908d1-a6d7-4695-8e1e-26931d2012f4}
  [ EventSourceName] Service Control Manager
• EventID 7045
  Also, I create pull request #12 to modify "RecommendedEvents.json" file

There is an error exists in "Windows Event Monitoring Guidance\Recommended Events to Collect" document (https://github.com/nsacyber/Event-Forwarding-Guidance/tree/master/Events), in table from "Certificate Services" section. Wrong event log specified for event id = 90. "Microsoft-Windows-CertificationAuthority" is not the event log - it is source of events from Application log.

According to Microsoft documentation the event id = 95 is wrote to log when security permissions are corrupted or missing:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd338541(v=ws.10)

Level 3 gives you the warnings--level 2 will be very noisy. If you do level 2, it would require additional analytics after collection (i.e. at the WEC) to make use of them...

Thoughts?

I emailed [email protected] for more specific contact information Nov. 19th but have heard nothing back yet...

I have connectivity between sources and collector, and have had events come in for test subscriptions. My question/concern is how to most simply organize individual subscriptions, given the fact that event IDs are only unique to sources, and not logs. For example, is it the case that the particular event IDs recommended to be tracked in the Excel spreadsheet "are" unique for each log, or would I have to separate each subscription by event source to be sure I was not getting different events (one I care about, and others I don't want to forward) from the same log that happened to have the same event ID?

The report referenced in the README that sends one here:
https://www.iad.gov/iad/library/ia-guidance/security-configuration/applications/spotting-the-adversary-with-windows-event-log-monitoring.cfm

...results in a 404 if you click on the "GET FILE" icon. Is there another location for this report? Not sure if this is version 2, but I was able to d/l a version of the file from this URL:

https://www.iad.gov/iad/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm

8002,8003,8004 are not described correctly in the RecommendedEvents files.

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker

8002 - allowed to run
8003 - would be blocked if enforcement was on
8004 - was blocked

8006 Would be blocked if Enforcement On Microsoft-Windows-AppLocker/MSI and Script
8007 Was Blocked Warning Microsoft-Windows-AppLocker/MSI and Script

Right brackets in the XPath queries for the WiFi connection encryption status and WiFi connection authentication status events are in the wrong location. See commit 98da795 for the fix.