├── CONTRIBUTING.md ├── DISCLAIMER.md ├── Events ├── README.md ├── RecommendedEvents.csv └── RecommendedEvents.json ├── LICENSE.md ├── README.md ├── README.txt ├── Subscriptions ├── LSA Protection.xml ├── NT6 │ ├── AccountLocked.xml │ ├── AccountLogons.xml │ ├── AppCrash.xml │ ├── BsodErr.xml │ ├── DefenderErr.xml │ ├── EMETLogs.xml │ ├── ExpCreds.xml │ ├── GrpPolicyErr.xml │ ├── KernelDriverDetect.xml │ ├── LogDel.xml │ ├── MsiPackages.xml │ ├── PrintDetect.xml │ ├── ServiceManager.xml │ ├── USBDetection.xml │ ├── UserToPriv.xml │ ├── WhitelistingLogs.xml │ ├── WifiActivity.xml │ ├── WinFAS.xml │ └── WinUpdateErr.xml └── samples │ ├── AccountLocked.xml │ ├── AccountLogons.xml │ ├── AppCrash.xml │ ├── BsodErr.xml │ ├── DefenderErr.xml │ ├── EMETLogs.xml │ ├── ExpCreds.xml │ ├── GrpPolicyErr.xml │ ├── KernelDriverDetect.xml │ ├── LogDel.xml │ ├── MsiPackages.xml │ ├── PrintDetect.xml │ ├── ServiceManager.xml │ ├── USBDetection.xml │ ├── UserToPriv.xml │ ├── WhitelistingLogs.xml │ ├── WifiActivity.xml │ ├── WinFAS.xml │ └── WinUpdateErr.xml └── scripts ├── Fill-GroupName.ps1 ├── README.txt ├── creatCV.ps1 └── subscriptionUtil.ps1 /CONTRIBUTING.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/CONTRIBUTING.md -------------------------------------------------------------------------------- /DISCLAIMER.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/DISCLAIMER.md -------------------------------------------------------------------------------- /Events/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Events/README.md -------------------------------------------------------------------------------- /Events/RecommendedEvents.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Events/RecommendedEvents.csv -------------------------------------------------------------------------------- /Events/RecommendedEvents.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Events/RecommendedEvents.json -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/LICENSE.md -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/README.md -------------------------------------------------------------------------------- /README.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/README.txt -------------------------------------------------------------------------------- /Subscriptions/LSA Protection.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/LSA Protection.xml -------------------------------------------------------------------------------- /Subscriptions/NT6/AccountLocked.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/NT6/AccountLocked.xml -------------------------------------------------------------------------------- /Subscriptions/NT6/AccountLogons.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/NT6/AccountLogons.xml -------------------------------------------------------------------------------- /Subscriptions/NT6/AppCrash.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/NT6/AppCrash.xml -------------------------------------------------------------------------------- /Subscriptions/NT6/BsodErr.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/NT6/BsodErr.xml -------------------------------------------------------------------------------- /Subscriptions/NT6/DefenderErr.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/NT6/DefenderErr.xml -------------------------------------------------------------------------------- /Subscriptions/NT6/EMETLogs.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/NT6/EMETLogs.xml -------------------------------------------------------------------------------- /Subscriptions/NT6/ExpCreds.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/NT6/ExpCreds.xml -------------------------------------------------------------------------------- /Subscriptions/NT6/GrpPolicyErr.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/NT6/GrpPolicyErr.xml -------------------------------------------------------------------------------- /Subscriptions/NT6/KernelDriverDetect.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/NT6/KernelDriverDetect.xml -------------------------------------------------------------------------------- /Subscriptions/NT6/LogDel.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/NT6/LogDel.xml -------------------------------------------------------------------------------- /Subscriptions/NT6/MsiPackages.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/NT6/MsiPackages.xml -------------------------------------------------------------------------------- /Subscriptions/NT6/PrintDetect.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/NT6/PrintDetect.xml -------------------------------------------------------------------------------- /Subscriptions/NT6/ServiceManager.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/NT6/ServiceManager.xml -------------------------------------------------------------------------------- /Subscriptions/NT6/USBDetection.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/NT6/USBDetection.xml -------------------------------------------------------------------------------- /Subscriptions/NT6/UserToPriv.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/NT6/UserToPriv.xml -------------------------------------------------------------------------------- /Subscriptions/NT6/WhitelistingLogs.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/NT6/WhitelistingLogs.xml -------------------------------------------------------------------------------- /Subscriptions/NT6/WifiActivity.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/NT6/WifiActivity.xml -------------------------------------------------------------------------------- /Subscriptions/NT6/WinFAS.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/NT6/WinFAS.xml -------------------------------------------------------------------------------- /Subscriptions/NT6/WinUpdateErr.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/NT6/WinUpdateErr.xml -------------------------------------------------------------------------------- /Subscriptions/samples/AccountLocked.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/samples/AccountLocked.xml -------------------------------------------------------------------------------- /Subscriptions/samples/AccountLogons.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/samples/AccountLogons.xml -------------------------------------------------------------------------------- /Subscriptions/samples/AppCrash.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/samples/AppCrash.xml -------------------------------------------------------------------------------- /Subscriptions/samples/BsodErr.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/samples/BsodErr.xml -------------------------------------------------------------------------------- /Subscriptions/samples/DefenderErr.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/samples/DefenderErr.xml -------------------------------------------------------------------------------- /Subscriptions/samples/EMETLogs.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/samples/EMETLogs.xml -------------------------------------------------------------------------------- /Subscriptions/samples/ExpCreds.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/samples/ExpCreds.xml -------------------------------------------------------------------------------- /Subscriptions/samples/GrpPolicyErr.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/samples/GrpPolicyErr.xml -------------------------------------------------------------------------------- /Subscriptions/samples/KernelDriverDetect.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/samples/KernelDriverDetect.xml -------------------------------------------------------------------------------- /Subscriptions/samples/LogDel.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/samples/LogDel.xml -------------------------------------------------------------------------------- /Subscriptions/samples/MsiPackages.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/samples/MsiPackages.xml -------------------------------------------------------------------------------- /Subscriptions/samples/PrintDetect.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/samples/PrintDetect.xml -------------------------------------------------------------------------------- /Subscriptions/samples/ServiceManager.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/samples/ServiceManager.xml -------------------------------------------------------------------------------- /Subscriptions/samples/USBDetection.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/samples/USBDetection.xml -------------------------------------------------------------------------------- /Subscriptions/samples/UserToPriv.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/samples/UserToPriv.xml -------------------------------------------------------------------------------- /Subscriptions/samples/WhitelistingLogs.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/samples/WhitelistingLogs.xml -------------------------------------------------------------------------------- /Subscriptions/samples/WifiActivity.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/samples/WifiActivity.xml -------------------------------------------------------------------------------- /Subscriptions/samples/WinFAS.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/samples/WinFAS.xml -------------------------------------------------------------------------------- /Subscriptions/samples/WinUpdateErr.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/Subscriptions/samples/WinUpdateErr.xml -------------------------------------------------------------------------------- /scripts/Fill-GroupName.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/scripts/Fill-GroupName.ps1 -------------------------------------------------------------------------------- /scripts/README.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/scripts/README.txt -------------------------------------------------------------------------------- /scripts/creatCV.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/scripts/creatCV.ps1 -------------------------------------------------------------------------------- /scripts/subscriptionUtil.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nsacyber/Event-Forwarding-Guidance/HEAD/scripts/subscriptionUtil.ps1 --------------------------------------------------------------------------------