Title consistency, subscriptions config description fix and better readability for GPO settings

Author: t0x01

EventSubscriptionsCollections/README.md

@@ -14,10 +14,10 @@ Make any changes to the `EventCollectorSubscriptions.csv` configuration file. En
 
 Bear in mind, that in some columns of `EventCollectorSubscriptions.csv` files, mainly `AllowedSourceDomainComputers`, `AllowedIssuerCAList` and `AllowedSubjectList`, you can specify several values separated by semicolon `;` symbol, e.g:
 
-| ProviderSymbol								| ... | AllowedSourceDomainComputers					| AllowedIssuerCAList 										 | AllowedSubjectList											|
-| ----------------------------- | --- | ------------------------------------- | ---------------------------------------- | -------------------------------------- |
-| WEC_DOMAIN_SERVERS_EVENTS			| ... | MSK-Domain-Members;SPB-Domain-Members |																					 |																				|
-| WEC_NON_DOMAIN_SERVERS_EVENTS | ... |																				| 073F4797D54776167C9199B2C36EAA01F1502C3F | \*.security.contoso.com;\*.contoso.com |
+| ChannelName					| ... | AllowedSourceDomainComputers			| AllowedIssuerCAList 						| AllowedSubjectList						|
+| ----------------------------- | --- | --------------------------------------- | ----------------------------------------- | ----------------------------------------- |
+| WEC-Domain-Servers/Events		| ... | MSK-Domain-Members;SPB-Domain-Members	|											|											|
+| WEC-NonDomain-Servers/Events	| ... |											| 073F4797D54776167C9199B2C36EAA01F1502C3F	| \*.security.contoso.com;\*.contoso.com	|
 
 ## Deployment:
 Deploy event subscriptions with [`New-WECSubscriptions.ps1`](./New-WECSubscriptions.ps1) script:

GroupPolicyObjects/Windows Event Collector.md

@@ -16,7 +16,7 @@
 
 ## Configuration
 
-Set the following setting **Computer Configuration -> Administrative Templates -> Windows Components -> Windows Remote Management (WinRM)/WinRM Service -> Allow Remote Server Management through WinRM** to:
+Set the following setting `Computer Configuration -> Administrative Templates -> Windows Components -> Windows Remote Management (WinRM)/WinRM Service -> Allow Remote Server Management through WinRM` to:
 
 - **IPV4 filter**: [network ranges]
 - **IPv6 filter**: *
@@ -28,13 +28,13 @@ Set the following setting **Computer Configuration -> Administrative Templates -
 
  
 
-Set the following setting **Computer Configuration -> Policies -> Windows Settings -> Security Settings -> System Services -> Windows Remote Management (WS-Management)** to:
+Set the following setting `Computer Configuration -> Policies -> Windows Settings -> Security Settings -> System Services -> Windows Remote Management (WS-Management)` to:
 
 - **Startup Mode**: Automatic
 
  
 
-Create new service configuration under **Computer Configuration -> Preferences -> Control Panel Settings -> Services** with the following settings:
+Create new service configuration under `Computer Configuration -> Preferences -> Control Panel Settings -> Services` with the following settings:
 
 - **Service name**: WinRM
 - **Action**: Start service
@@ -45,23 +45,23 @@ Create new service configuration under **Computer Configuration -> Preferences -
 
 ## Optional
 
-Set the following setting **Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Polices/User Rights Assignment** to:
+Set the following setting `Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Polices/User Rights Assignment` to:
 
 - **Log on as a service**: [objects]
 
 **Note**: **objects** is a list of all domain groups and/or accounts allowed to log on the target server as a service.
 
  
 
-Set the following setting **Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups** to:
+Set the following setting `Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups` to:
 
 - **BUILTIN\Administrators**: [objects]
 
 **Note**: **objects** is a list of all domain groups and/or accounts given the administrator rights on the target server.
 
  
 
-Create new registry key under **Computer Configuration -> Preferences -> Windows Settings -> Registry** with the following settings:
+Create new registry key under `Computer Configuration -> Preferences -> Windows Settings -> Registry` with the following settings:
 
 - **Action**: Update
 - **Hive**: HKEY_LOCAL_MACHINE
@@ -72,7 +72,7 @@ Create new registry key under **Computer Configuration -> Preferences -> Windows
 
  
 
-Create new task under **Computer Configuration -> Preferences -> Control Panel Settings -> Scheduled Tasks** with the following settings:
+Create new task under `Computer Configuration -> Preferences -> Control Panel Settings -> Scheduled Tasks` with the following settings:
 
 - **Task type**: Immediate Task (At least Windows 7)
 - **Task**:
@@ -86,7 +86,7 @@ Create new task under **Computer Configuration -> Preferences -> Control Panel S
 
  
 
-Create new task under **Computer Configuration -> Preferences -> Control Panel Settings -> Scheduled Tasks** with the following settings:
+Create new task under `Computer Configuration -> Preferences -> Control Panel Settings -> Scheduled Tasks` with the following settings:
 
 - **Task type**: Scheduled Task (At least Windows 7)
 - **Action**: Update

GroupPolicyObjects/Windows Event Forwarding.md

@@ -13,29 +13,29 @@
 
 ## Configuration
 
-Set the following setting **Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups** to:
+Set the following setting `Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups` to:
 
 - **BUILTIN\Event Log Readers**: NT AUTHORITY\NETWORK SERVICE
 
 **Note**: Add to **BUILTIN\Event Log Readers** other groups/users, that should have remote access to local logs.
 
  
 
-Set the following setting **Computer Configuration -> Administrative Templates -> Windows Components -> Event Log Service -> Security -> Configure log access** to:
+Set the following setting `Computer Configuration -> Administrative Templates -> Windows Components -> Event Log Service -> Security -> Configure log access` to:
 
 - **Log Access**: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)
 
  
 
-Set the following setting **Computer Configuration -> Administrative Templates -> Windows Components -> Event Forwarding -> Configure forwarder resource usage** to:
+Set the following setting `Computer Configuration -> Administrative Templates -> Windows Components -> Event Forwarding -> Configure forwarder resource usage` to:
 
 - **The maximum forwarding rate ( events/sec ) allowed for the forwarder**: [X]
 
 **Note**: **X** is a number of events/per second sent to the Event Collector per each event source. Value too low would make the collector to fall behind it's event sources, value too high would make the collector's event log to overflood and erase previos events, before you can analyze them or collect them to your SIEM. You should test this setting in your environment and choose the value, that works for you.
 
  
 
-Set the following setting **Computer Configuration -> Administrative Templates -> Windows Components -> Event Forwarding -> Configure target Subscription Manager** to:
+Set the following setting `Computer Configuration -> Administrative Templates -> Windows Components -> Event Forwarding -> Configure target Subscription Manager` to:
 
 - **SubscriptionManagers**: Server=[proto]://[server]:[port]/wsman/SubscriptionManager/WEC,Refresh=[ref]
 

README.md

@@ -1,4 +1,4 @@
-# Windows Event Collector Guidance
+# Windows Event Forwarding Guidance
 ```
 	██╗    ██╗███████╗███████╗     ██████╗ ██╗   ██╗██╗██████╗  █████╗ ███╗   ██╗ ██████╗███████╗
 	██║    ██║██╔════╝██╔════╝    ██╔════╝ ██║   ██║██║██╔══██╗██╔══██╗████╗  ██║██╔════╝██╔════╝