diff --git a/Vagrant/resources/splunk_forwarder/wef_inputs.conf b/Vagrant/resources/splunk_forwarder/wef_inputs.conf
index 02018be..35651dd 100755
--- a/Vagrant/resources/splunk_forwarder/wef_inputs.conf
+++ b/Vagrant/resources/splunk_forwarder/wef_inputs.conf
@@ -411,6 +411,15 @@ start_from = oldest
 current_only = 0
 checkpointInterval = 5
 
+[WinEventLog://WEC2-Object-Manipulation]
+sourcetype = WinEventLog:Security
+source = WinEventLog:Object-Handle
+index=wineventlog
+disabled = 0
+start_from = oldest
+current_only = 0
+checkpointInterval = 5
+
 [monitor://c:\pslogs]
 index = powershell
 sourcetype = powershell_transcript