[WinEventLog://ForwardedEvents]
sourcetype = WinEventLog:ForwardedEvents
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC-Powershell]
sourcetype = WinEventLog:Powershell
source = WinEventLog:Powershell
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC-WMI]
sourcetype = WinEventLog:WMI
source = WinEventLog:WMI
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC-EMET]
sourcetype = WinEventLog:Security
source = WinEventLog:EMET
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC-Authentication]
sourcetype = WinEventLog:Security
source = WinEventLog:Authentication
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC-Services]
sourcetype = WinEventLog:System
source = WinEventLog:Services
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC-Process-Execution]
sourcetype = WinEventLog:Security
source = WinEventLog:Process-Execution
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC-Code-Integrity]
sourcetype = WinEventLog:Security
source = WinEventLog:Code-Integrity
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC2-Registry]
sourcetype = WinEventLog:Security
source = WinEventLog:Registry
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC2-Applocker]
sourcetype = WinEventLog:Applocker
source = WinEventLog:Applocker
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC2-Task-Scheduler]
sourcetype = WinEventLog:Task-Scheduler
source = WinEventLog:Task-Scheduler
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC2-Application-Crashes]
sourcetype = WinEventLog:Application
source = WinEventLog:Application-Crashes
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC2-Windows-Defender]
sourcetype = WinEventLog:Windows-Defender
source = WinEventLog:Windows-Defender
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC2-Group-Policy-Errors]
sourcetype = WinEventLog:System
source = WinEventLog:Group-Policy-Errors
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC3-Drivers]
sourcetype = WinEventLog:System
source = WinEventLog:Drivers
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC3-Account-Management]
sourcetype = WinEventLog:Security
source = WinEventLog:Account-Management
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC3-Windows-Diagnostics]
sourcetype = WinEventLog:System
source = WinEventLog:Windows-Diagnostics
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC3-Smart-Card]
sourcetype = WinEventLog:Smart-Card
source = WinEventLog:Smart-Card
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC3-USB]
sourcetype = WinEventLog:USB
source = WinEventLog:USB
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC3-Print]
sourcetype = WinEventLog:Print
source = WinEventLog:Print
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC3-Firewall]
sourcetype = WinEventLog:Firewall
source = WinEventLog:Firewall
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC4-Wireless]
sourcetype = WinEventLog:Security
source = WinEventLog:Wireless
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC4-Shares]
sourcetype = WinEventLog:Security
source = WinEventLog:Shares
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC4-Bits-Client]
sourcetype = WinEventLog:Bits-Client
source = WinEventLog:Bits-Client
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC4-Windows-Updates]
sourcetype = WinEventLog:System
source = WinEventLog:Windows-Updates
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC4-Hotpatching-Errors]
sourcetype = WinEventLog:Security
source = WinEventLog:Hotpatching-Errors
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC4-DNS]
sourcetype = WinEventLog:DNS
source = WinEventLog:DNS
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC4-System-Time-Change]
sourcetype = WinEventLog:Security
source = WinEventLog:System-Time-Change
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC5-Operating-System]
sourcetype = WinEventLog:System
source = WinEventLog:Operating-System
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC5-Certificate-Authority]
sourcetype = WinEventLog:Security
source = WinEventLog:Certificate-Authority
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC5-Crypto-API]
sourcetype = WinEventLog:Security
source = WinEventLog:Crypto-API
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC2-File-System]
sourcetype = WinEventLog:Security
source = WinEventLog:File-System
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC5-MSI-Packages]
sourcetype = WinEventLog:Security
source = WinEventLog:MSI-Packages
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC5-Log-Deletion-Security]
sourcetype = WinEventLog:Security
source = WinEventLog:Log-Deletion-Security
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC5-Log-Deletion-System]
sourcetype = WinEventLog:System
source = WinEventLog:Log-Deletion-System
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC5-Autoruns]
sourcetype = WinEventLog:Autoruns
source = WinEventLog:Autoruns
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC6-Sysmon]
sourcetype = WinEventLog:Sysmon
source = WinEventLog:Sysmon
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC6-Software-Restriction-Policies]
sourcetype = WinEventLog:Software-Restriction-Policies
source = WinEventLog:Software-Restriction-Policies
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC6-Microsoft-Office]
sourcetype = WinEventLog:Microsoft-Office
source = WinEventLog:Microsoft-Office
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC6-Exploit-Guard]
sourcetype = WinEventLog:Security
source = WinEventLog:Exploit-Guard
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC6-Duo-Security]
sourcetype = WinEventLog:Duo-Security
source = WinEventLog:Duo-Security
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC6-Device-Guard]
sourcetype = WinEventLog:Security
source = WinEventLog:Device-Guard
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://WEC6-ADFS]
sourcetype = WinEventLog:ADFS
source = WinEventLog:ADFS
index=wineventlog
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[monitor://c:\pslogs]
index = powershell
sourcetype = powershell_transcript
recursive = true