Threat Hunting with Windows Event Forwarding
Windows Event Forwarding (WEF) is a way you can get event logs from Windows computers and collect them on Windows Event Collector (WEC) servers. In this Threat Hunting with Windows Event Forwarding course, you will use WEF for incident detection with step-by-step instructions for configuration and management workflows.
In this course we will learn about Windows Event Forwarding. Not many people are aware of it and take advantage of this built-in native tool. Windows Event Forwarding (WEF) is a way you can get any or all event logs from Windows computers and collect them on one or more Windows Event Collector (WEC) servers.
We will provide a framework for detecting current Active Directory attack methods used by red teams for penetration testing including Lateral Movement and best practices from across the globe. The default configuration of windows does not track events required for investigation of incidents. In this course, we will provide configurations to allow you to setup verbose logging to detect suspicious events.
Understand and configure Active Directory Group Policies. Need to be familiar with Windows event logs. Need one or more Windows servers for event collection.
By the end of the course, students should be able to:
- Configure Windows Event Logging to capture malicious activity like Lateral Movement
- Collect events from Windows servers and workstations using Windows Event Collector (WEC)
- Use a threat detection framework from MITRE to perform hunt for malicious activity like Lateral Movement
Complete this entire course to earn a Threat Hunting with Windows Event Forwarding Certificate of Completion
In this lab you will use Splunk Enterprise to ingest logs from a local host ...
This last lab is similar to the Windows Incident Response lab, but different in that ...