Update use-windows-event-forwarding-to-assist-in-intrusion-detection.md

windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md

@@ -25,7 +25,7 @@ Learn about an approach to collect events from devices in your organization. Thi
 
 Windows Event Forwarding (WEF) reads any operational or administrative event log on a device in your organization and forwards the events you choose to a Windows Event Collector (WEC) server.
 
-To accomplish this, there are two different subscriptions published to client devices - the Baseline subscription and the suspect subscription. The Baseline subscription enrolls all devices in your organization, and a Suspect subscription only includes devices that have been added by you. The Suspect subscription collects additional events to help build context for system activity and can quickly be updated to accommodate new events and/or scenarios as needed without impacting baseline operations.
+To accomplish this functionality, there are two different subscriptions published to client devices - the Baseline subscription and the suspect subscription. The Baseline subscription enrolls all devices in your organization, and a Suspect subscription only includes devices that have been added by you. The Suspect subscription collects more events to help build context for system activity and can quickly be updated to accommodate new events and/or scenarios as needed without impacting baseline operations.
 
 This implementation helps differentiate where events are ultimately stored. Baseline events can be sent to devices with online analytical capability, such as Security Event Manager (SEM), while also sending events to a MapReduce system, such as HDInsight or Hadoop, for long-term storage and deeper analysis. Events from the Suspect subscription are sent directly to a MapReduce system due to volume and lower signal/noise ratio, they are largely used for host forensic analysis.
 
@@ -41,7 +41,7 @@ Here's an approximate scaling guide for WEF events:
 | 5,000 - 50,000      | SEM                        |
 | 50,000+             | Hadoop/HDInsight/Data Lake |
  
-Event generation on a device must be enabled either separately or as part of the GPO for the baseline WEF implementation, including enabling of disabled event logs and setting channel permissions. For more info, see [Appendix C - Event channel settings (enable and channel access) methods](#bkmk-appendixc). This is because WEF is a passive system regarding the event log. It cannot change the size of event log files, enable disabled event channels, change channel permissions, or adjust a security audit policy. WEF only queries event channels for existing events. Additionally, having event generation already occurring on a device allows for more complete event collection building a complete history of system activity. Otherwise, you'll be limited to the speed of GPO and WEF subscription refresh cycles to make changes to what is being generated on the device. On modern devices, enabling additional event channels and expanding the size of event log files has not resulted in noticeable performance differences.
+Event generation on a device must be enabled either separately or as part of the GPO for the baseline WEF implementation, including enabling of disabled event logs and setting channel permissions. For more info, see [Appendix C - Event channel settings (enable and channel access) methods](#bkmk-appendixc). This condition is because WEF is a passive system regarding the event log. It cannot change the size of event log files, enable disabled event channels, change channel permissions, or adjust a security audit policy. WEF only queries event channels for existing events. Additionally, having event generation already occurring on a device allows for more complete event collection building a complete history of system activity. Otherwise, you'll be limited to the speed of GPO and WEF subscription refresh cycles to make changes to what is being generated on the device. On modern devices, enabling more event channels and expanding the size of event log files has not resulted in noticeable performance differences.
 
 For the minimum recommended audit policy and registry system ACL settings, see [Appendix A - Minimum recommended minimum audit policy](#bkmk-appendixa) and [Appendix B - Recommended minimum registry system ACL policy](#bkmk-appendixb).
 
@@ -49,14 +49,14 @@ For the minimum recommended audit policy and registry system ACL settings, see [
  
 From a WEF subscription management perspective, the event queries provided should be used in two separate subscriptions for ease of maintenance; only machines meeting specific criteria would be allowed access to the targeted subscription, this access would be determined by an algorithm or an analysts’ direction. All devices should have access to the Baseline subscription.
 
-This means you would create two base subscriptions:
+This system of dual subscription means you would create two base subscriptions:
 
--   **Baseline WEF subscription**. Events collected from all hosts, this includes some role-specific events, which will only be emitted by those machines.
+-   **Baseline WEF subscription**. Events collected from all hosts; these events include some role-specific events, which will only be emitted by those machines.
 -   **Targeted WEF subscription**. Events collected from a limited set of hosts due to unusual activity and/or heightened awareness for those systems.
 
-Each using the respective event query below. Note that for the Targeted subscription enabling the “read existing events” option should be set to true to allow collection of existing events from systems. By default, WEF subscriptions will only forward events generated after the WEF subscription was received by the client.
+Each using the respective event query below. For the Targeted subscription enabling the “read existing events” option should be set to true to allow collection of existing events from systems. By default, WEF subscriptions will only forward events generated after the WEF subscription was received by the client.
 
-In [Appendix E – Annotated Baseline Subscription Event Query](#bkmk-appendixe) and [Appendix F – Annotated Suspect Subscription Event Query](#bkmk-appendixf), the event query XML is included when creating WEF subscriptions. These are annotated for query purpose and clarity. Individual <Query> element can be removed or edited without affecting the rest of the query.
+In [Appendix E – Annotated Baseline Subscription Event Query](#bkmk-appendixe) and [Appendix F – Annotated Suspect Subscription Event Query](#bkmk-appendixf), the event query XML is included when creating WEF subscriptions. These subscriptions are annotated for query purpose and clarity. Individual <Query> element can be removed or edited without affecting the rest of the query.
 
 ### Common WEF questions
 
@@ -70,7 +70,7 @@ The longer answer is: The **Eventlog-forwardingPlugin/Operational** event channe
 
 ### Is WEF Push or Pull?
 
-A WEF subscription can be configured to be push or pull, but not both. The simplest, most flexible IT deployment with the greatest scalability can be achieved by using a push, or source initiated, subscription. WEF clients are configured by using a GPO and the built-in forwarding client is activated. For pull, collector initiated, the subscription on the WEC server is pre-configured with the names of the WEF Client devices from which events are to be selected. Those clients also have to be configured ahead of time to allow the credentials used in the subscription to access their event logs remotely (normally by adding the credential to the **Event Log Readers** built-in local security group.) A useful scenario: closely monitoring a specific set of machines.
+A WEF subscription can be configured to be push or pull, but not both. The simplest, most flexible IT deployment with the greatest scalability can be achieved by using a push, or source initiated, subscription. WEF clients are configured by using a GPO and the built-in forwarding client is activated. For pull, collector initiated, the subscription on the WEC server is pre-configured with the names of the WEF Client devices from which events are to be selected. Those clients are to be configured ahead of time to allow the credentials used in the subscription to access their event logs remotely (normally by adding the credential to the **Event Log Readers** built-in local security group.) A useful scenario: closely monitoring a specific set of machines.
 
 ### Will WEF work over VPN or RAS?
 
@@ -78,7 +78,7 @@ WEF handles VPN, RAS, and DirectAccess scenarios well and will reconnect and sen
 
 ### How is client progress tracked?
 
-The WEC server maintains in its registry the bookmark information and last heartbeat time for each event source for each WEF subscription. When an event source re-connects to a WEC server, the last bookmark position is sent to the device to use as a starting point to resume forwarding events. If a
+The WEC server maintains in its registry the bookmark information and last heartbeat time for each event source for each WEF subscription. When an event source reconnects to a WEC server, the last bookmark position is sent to the device to use as a starting point to resume forwarding events. If a
 WEF client has no events to send, the WEF client will connect periodically to send a Heartbeat to the WEC server to indicate it is active. This heartbeat value can be individually configured for each subscription.
 
 ### Will WEF work in an IPv4, IPv6, or mixed IPv4/IPv6 environment?
@@ -188,7 +188,7 @@ The annotated event query can be found in the following. For more info, see [App
 - Registry modification events. For more info, see [Appendix B – Recommended minimum Registry System ACL Policy](#bkmk-appendixb).
 - OS startup and shutdown
 
-  -   Startup event include operating system version, service pack level, QFE version, and boot mode.
+  -   Startup events include operating system version, service pack level, QFE version, and boot mode.
 
 - Service install
 
@@ -216,13 +216,13 @@ The annotated event query can be found in the following. For more info, see [App
   -   Find out what initiated the restart of a device.
 
 - User initiated interactive logoff event
-- Remote Desktop Services session connect, reconnect, or disconnect.
+- Remote Desktop Services sessions connect, reconnect, or disconnect.
 - EMET events, if EMET is installed.
 - Event forwarding plugin events
 
   -   For monitoring WEF subscription operations, particularly Partial Success events. This is useful for diagnosing deployment issues.
 
-- Network share create and delete
+- Network share creation and deletion
 
   - Enables detection of unauthorized share creation.
     >**Note:**  All shares are re-created when the device starts.
@@ -232,7 +232,7 @@ The annotated event query can be found in the following. For more info, see [App
   -   Logon success for interactive (local and Remote Interactive/Remote Desktop)
   -   Logon success for services for non-built-in accounts, such as LocalSystem, LocalNetwork, and so on.
   -   Logon success for batch sessions
-  -   Logon session close, which are logoff events for non-network sessions.
+  -   Logon session close, which is logoff events for non-network sessions.
 
 - Windows Error Reporting (Application crash events only)
 
@@ -244,7 +244,7 @@ The annotated event query can be found in the following. For more info, see [App
 
 - Event log cleared (including the Security Event Log)
 
-  -   This could indicate an intruder that are covering their tracks.
+  -   This could indicate an intruder that is covering their tracks.
 
 - Special privileges assigned to new logon
 
@@ -271,7 +271,7 @@ The annotated event query can be found in the following. For more info, see [App
 
 - Logon with explicit credentials
 
-  -   Detect credential use changes by intruders to access additional resources.
+  -   Detect credential use changes by intruders to access more resources.
 
 - Smartcard card holder verification events
 
@@ -296,7 +296,7 @@ This adds some possible intruder-related activity to help analyst further refine
 
 -   Groups assigned to local logon
 
-    -   Gives visibility to groups which enable account wide access
+    -   Gives visibility to groups which enable account-wide access
     -   Allows better planning for remediation efforts
     -   Excludes well known, built-in system accounts.
 
@@ -337,7 +337,7 @@ This adds some possible intruder-related activity to help analyst further refine
 
 ## <a href="" id="bkmk-appendixa"></a>Appendix A - Minimum recommended minimum audit policy
 
-If your organizational audit policy enables additional auditing to meet its needs, that is fine. The policy below is the minimum audit policy settings needed to enable events collected by both baseline and targeted subscriptions.
+If your organizational audit policy enables more auditing to meet its needs, that is fine. The policy below is the minimum audit policy settings needed to enable events collected by both baseline and targeted subscriptions.
 
 | Category           | Subcategory                     | Audit settings      |
 |--------------------|---------------------------------|---------------------|
@@ -388,7 +388,7 @@ Use the following figures to see how you can configure those registry keys.
 
 Some channels are disabled by default and have to be enabled. Others, such as Microsoft-Windows-CAPI2/Operational must have the channel access modified to allow the Event Log Readers built-in security group to read from it.
 
-The recommended and most effective way to do this is to configure the baseline GPO to run a scheduled task to configure the event channels (enable, set maximum size, and adjust channel access.) This will take effect at the next GPO refresh cycle and has minimal impact on the client device.
+The recommended and most effective way to do this is configuring the baseline GPO to run a scheduled task to configure the event channels (enable, set maximum size, and adjust channel access.) This will take effect at the next GPO refresh cycle and has minimal impact on the client device.
 
 The following GPO snippet performs the following: