From 926c1470ee83e89890cfb858e672944a50a2cfe7 Mon Sep 17 00:00:00 2001
From: Dario Woitasen <33589238+dariomws@users.noreply.github.com>
Date: Mon, 14 Nov 2022 10:02:33 +0100
Subject: [PATCH] Update
 use-windows-event-forwarding-to-assist-in-intrusion-detection.md

---
 ...t-forwarding-to-assist-in-intrusion-detection.md | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
index d48d5da38b..a28ab4ca3e 100644
--- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
+++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
@@ -397,6 +397,17 @@ The following GPO snippet performs the following tasks:
 
 ![configure event channels.](images/capi-gpo.png)
 
+The following table also contains the six actions to configure in the GPO:
+
+| Program/Script                     | Arguments                                                                                                |
+|------------------------------------|----------------------------------------------------------------------------------------------------------|
+| %SystemRoot%\System32\wevtutil.exe | sl Microsoft-Windows-CAPI2/Operational /e:true                                                           |
+| %SystemRoot%\System32\wevtutil.exe | sl Microsoft-Windows-CAPI2/Operational /ms:102432768                                                     |
+| %SystemRoot%\System32\wevtutil.exe | sl "Microsoft-Windows-AppLocker/EXE and DLL" /ms:102432768                                               |
+| %SystemRoot%\System32\wevtutil.exe | sl Microsoft-Windows-CAPI2/Operational /ca:"O:BAG:SYD:(A;;0x7;;;BA)(A;;0x2;;;AU)(A;;0x1;;;S-1-5-32-573)" |
+| %SystemRoot%\System32\wevtutil.exe | sl "Microsoft-Windows-DriverFrameworks-UserMode/Operational" /e:true                                     |
+| %SystemRoot%\System32\wevtutil.exe | sl "Microsoft-Windows-DriverFrameworks-UserMode/Operational" /ms:52432896                                |
+
 ## <a href="" id="bkmk-appendixd"></a>Appendix D - Minimum GPO for WEF Client configuration
 
 Here are the minimum steps for WEF to operate:
@@ -655,4 +666,4 @@ You can get more info with the following links:
 -   [Event Queries and Event XML](/previous-versions/bb399427(v=vs.90))
 -   [Event Query Schema](/windows/win32/wes/queryschema-schema)
 -   [Windows Event Collector](/windows/win32/wec/windows-event-collector)
--   [4625(F): An account failed to log on](./auditing/event-4625.md)
\ No newline at end of file
+-   [4625(F): An account failed to log on](./auditing/event-4625.md)