Mastering Windows Event Forwarding (WEF) for Unmatched SIEM Capabilities



Among the multitudes of log sources that are essential for monitoring a company, Windows Event Forwarding (WEF) unequivocally claims the top spot. With the ability to gather thousands of types of events from every computer within an organization, WEF offers near-complete visibility into network activities.

By utilizing our Mobula Platform, configuring WEF becomes a breeze, enabling the collection of more than 6000 types of logs in a matter of minutes. 

Making WEF Work for You

Below are some key strategies to ensure you maximize your use of WEF and, by extension, enhance your SIEM capabilities:

1. Understand and Modify Default Configurations: It’s vital to comprehend the default configurations for each log and modify them as necessary. For instance, the default setting for event 4688 does not audit the command line. Knowing such specifics allows for necessary alterations to enhance monitoring.

2. Collect Comprehensive Data: Strive to accumulate data from all folders in the event viewer that provide information critical to understanding activities on each computer.
With the Mobula platform, we facilitate the collection from over 50 such folders.

3. Exclude Non-Essential Events: Not every event brings valuable insights. Some create excessive events per seconds (EPS) but add little to no value. Identifying and excluding these events can streamline your log management process.

4. Create Cross-Correlation Reports: Such reports help identify computers that are not reporting, possibly due to issues like firewall blocking.

5. Tune the WEC: Optimize your Windows Event Collector (WEC) to handle the reception of events from thousands of computers.
With Mobula, we have successfully scaled up collection capabilities from a single server to manage up to 10,000 computers.

6. Keep Configurations Updated: As a Managed Security Service Provider (MSSP), it’s vital to keep all configurations updated. For instance, during the PrintNightmare exploit, monitoring the vulnerability required collecting events from the spooler folder. Without the capability to configure WEF, this would not have been possible.
However, with Mobula, updates to all servers globally can be achieved in minutes.

7. Collect Wisely: Collecting every bit of data available can quickly rack up costs. It’s essential to know what to collect and how to do so. When done right, the information gathered is invaluable, contributing significantly to enhancing your security posture.

In conclusion, mastering WEF is a crucial aspect of achieving enhanced SIEM capabilities. With careful tuning, collection, and configuration, WEF can provide unparalleled visibility into your network activities.

With our Mobula platform, these steps can be completed with ease and efficiency.

More to explorer

New Deployed Rules

Process CreationSuspicious Execution Location Of Wermgr.EXEPotential CVE-2023-36874 Exploitation – Fake Wermgr ExecutionNetwork Reconnaissance ActivityNode Process ExecutionsNslookup PowerShell Download Cradle – Process CreationSuspicious

New Deployed Rules

Account ManagementOutgoing Logon with New CredentialsRottenPotato Like Attack PatternScanner PoC for CVE-2019-0708 RDP RCE Vuln File EventWebDAV Temporary Local File CreationSCR File

New Deployed Rules

Process CreationMMC20 Lateral Movement Process CreationMMC Spawning Windows Shell Process CreationPotential Arbitrary Command Execution Using Msdt.EXE Process CreationSuspicious MSDT Parent Process Process

Sign up for our newsletter

Time to market

One-day SIEM integration