Windows Event Log XML subscriptions that mimic SwiftOnSecurity's Sysmon config file. Unfortunately a limitation of XPATH 1.0 is that it does not allow wildcard selections so some items were not included.

Keep in mind most of these subscriptions require the necessary Windows auditing to be enabled. They do NOT come out of the box. Use recommendation from Malware Archaeology and/or Palantir.

Contributions: Palantir for their work on WEF. SwiftOnSecurity's Sysmon config file.