May 19 2018 06:56 AM - edited May 19 2018 07:04 AM
I configured Windows Event Forwarding (WEF) in my LAB domain and I'm setting up subscriptions. My subscription is configured on my DC and is source-initiated, the collector is DC01.acme.com and sources are WIN7.acme.com and WIN10.acme.com. Suppose I have the following query filter configured for my subscription:
Image from https://docs.microsoft.com/en-us/azure-advanced-threat-protection/configure-event-forwarding
This means that I only want Security event logs with ID 4776 forwarded to DC01.acme.com, this works like a charm, no issues here. My only question is: where is the filter really applied, in the DC (collector) or in the workstations (sources)? In my mind there are two possible scenarios:
I really wish the answer to my question is number 2, because this will save me a LOT of bandwidth. I couldn't find a clear answer in Microsoft docs.