From 7476ff94df23acb1c9138cd3080438665c156122 Mon Sep 17 00:00:00 2001
From: Olaf Hartong <8149899+olafhartong@users.noreply.github.com>
Date: Thu, 30 Apr 2020 21:53:05 +0200
Subject: [PATCH] Added missing subscription forward rule

---
 Vagrant/resources/splunk_forwarder/wef_inputs.conf | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/Vagrant/resources/splunk_forwarder/wef_inputs.conf b/Vagrant/resources/splunk_forwarder/wef_inputs.conf
index 02018be..35651dd 100755
--- a/Vagrant/resources/splunk_forwarder/wef_inputs.conf
+++ b/Vagrant/resources/splunk_forwarder/wef_inputs.conf
@@ -411,6 +411,15 @@ start_from = oldest
 current_only = 0
 checkpointInterval = 5
 
+[WinEventLog://WEC2-Object-Manipulation]
+sourcetype = WinEventLog:Security
+source = WinEventLog:Object-Handle
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
 [monitor://c:\pslogs]
 index = powershell
 sourcetype = powershell_transcript