Level: Technical


Collecting Windows event logs and centralizing them into a Security Information and Event Management (SIEM) has always been a big challenge for managed security service providers (MSSPs) or companies taking care of their system security. Despite the multiple approaches – agent, agentless or hybrid – the landscape remains unclear, and it is hard to find a proper technical solution that takes care of the security constraints imposed by the environment (Active Directory domain in enterprise or Workgroup in OT).

In this talk, we will share how we improved the built-in Windows Event Forwarding (WEF) and Windows Event Collector (WEC) by providing a “crafted toolkit”. Next, new and alternative methods to collect Windows Server DNS logs will be presented. Finally, we discuss how such solutions can help MSSPs or companies to leverage Windows logs and to provide valuable IOCs for threat detection purposes.

Full description:

The Windows Event Forwarding (WEF) feature implemented on all recent Windows OS provides the ability to forward Windows logs to a central Windows collector in agent less mode. For that, the free Windows Event Collector role can be used in order to centralize all logs.

However, WEC server builtin capacities in terms of collection are very low and it’s hard to keep track of what is being collected or not. Moreover, there is no automated tool to scale up the deployment and manage advanced subscriptions which defines which IOCs/Event IDs to collect.

With this presentation, I would like to:

  • share a technical approach (initially introduced by Palantir) that we use to collect logs from all endpoints together with the WEC sserver
  • share a PowerShell tool that enhance the WEC server deployment together with the Palantir toolset
  • introduce new technical solution to collect Windows DNS logs with ETL format or ETW channel in order to move away from the former TXT files
  • provide technical architecture solutions to collect DNS logs in ETL-ETW format with agent (Splunk, NXLog) or without any agent (remote pull).
  • provide an overview of all possible log collection methods for most of Microsoft products (SQL Server, Exchange, IIS, PowerShell transcript/TXT, SYSMON, Windows Defender, Microsoft ATA, NPS radius, …).

My own project and tools can be found here: https://github.com/mdecrevoisier/windows-event-collector_auto-deploy

Palantir initial project can be found here: https://github.com/palantir/windows-event-forwarding 


Michel de Crevoisier is a Security Analyst in the Data Analytics department at Radar Cyber Security in Vienna. Since he joined the company in 2017, he works on improving the data log collection from Microsoft environments in fields like “Information Technology” (IT) and “Public clouds”. Furthermore, he works on the detection of valuable IOCs to provide advanced use cases for threat detection. During his professional career, he handled several positions as a system and network administrator as well as a security architect in France, Spain and Austria. In addition to his practice, Michel regularly participates as a speaker on security conference (Swiss Cyber Storm 2019) and data protection conferences at the French embassy in Vienna and other business events organized by the French-Austrian chamber of commerce. Michel graduated with an MSc in computer sciences. During his studies, he was named by Microsoft as a “Student Partner” (MSP) and was in charge of organizing different talks and conferences in order to present the Microsoft ecosystem and its related services or products. At that time, he published several articles on his blog regarding security hardening and well-known threats like Mimikatz.



Comments are closed.