Annotate Windows event logs shipped with Windows Event Forwarding (WEF)

Using WEF together with the WEC collector does not offer any possibility to add this information.

However, some alternative exist but they are not perfect:

• Use your DHCP server logs and correlate the IP contained in those logs with the one you would have resolved while doing the DNS resolution in your SIEM
• Use an emulated WEC server (creates a WinRM listener) using NXLog agent enterprise or SYSLOG NG Premium. Once in place, you can adjust the specified query to enrich the events. For NXLog, you can enrich IP and FQDN (not sure for the MAC address): define ADD_AGENT_INFO $agent_ip= host_ip(); $agent_fqdn= hostname_fqdn();
• Use a dedicated agent on the source hosts: this goes against the agentless approach but in theory some agent solution could add this information (Splunk ?)
• Use an asset inventory database and enrich your collected events with this data

Actually, why would you like to have this information in your SIEM ? Do you have specific use cases in mind ?