-
Notifications
You must be signed in to change notification settings - Fork 2
Subscription Configurations
The client computers (non-servers) will log to azurebox3. They are using the regular workstation XML from the Windows Intrusion Detection blog with a custom delivery mode and some additional events recommended by adsecurity.org. The client subscription is configured for minimum latency. This means that events will be delivered as soon as they occur to reduce events latency.
The non-domain controller windows servers will forward their logs to azurebox2. XML is pretty much the same as the recommended XML from the Microsoft intrusion detection blog. Check out the XML in the code repo. The Windows Server subscription is configured for custom latency rules with a max latency time of 900000.
Domain controllers get their subscription from azurebox1. Our domain controller subscription is configured for minimum latency.
For more about latency configuration options, read Palantir's blog entry here: https://medium.com/@palantir/windows-event-forwarding-for-network-defense-cb208d5ff86f.