https://community.splunk.com/t5/Knowledge-Management/Windows-Logs-in-Endpoint-data-model/m-p/671415#M9825 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/263217">@sinhashubham014</a>,</P><P>I suppose that you are using the Splunk_TA_Windows on the Search Head for parsing.</P><P>Anyway, log ingestion isn't managed by ESCU: ESCU contains many Correlation Searches to use in ES or simply in Splunk Enterprise, no parsing or ingesting rules.</P><P>See if you are correctly parsing your logs and if there are the eventtypes to assign the correct tagging to your logs, so the DataModels are correctly populated.</P><P>Ciao.</P><P>Giuseppe</P> Mon, 11 Dec 2023 07:43:24 GMT gcusello 2023-12-11T07:43:24Z https://community.splunk.com/t5/Knowledge-Management/Windows-Logs-in-Endpoint-data-model/m-p/671409#M9824 <P>Hello, i am deploying the ESCU searches in our environment. However, the endpoint logs are not ingested in Splunk. However for deploying the usecases, I ingested the Windws Security Logs with win event 4688/4689 to monitor the usecases. Sysmon logs are not ingested well. The Windows logs, configured with endpoint model are triggering the notables. Is it triggered notables relevant with the incident triage?</P> Mon, 11 Dec 2023 07:16:21 GMT https://community.splunk.com/t5/Knowledge-Management/Windows-Logs-in-Endpoint-data-model/m-p/671409#M9824 sinhashubham014 2023-12-11T07:16:21Z https://community.splunk.com/t5/Knowledge-Management/Windows-Logs-in-Endpoint-data-model/m-p/671415#M9825 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/263217">@sinhashubham014</a>,</P><P>I suppose that you are using the Splunk_TA_Windows on the Search Head for parsing.</P><P>Anyway, log ingestion isn't managed by ESCU: ESCU contains many Correlation Searches to use in ES or simply in Splunk Enterprise, no parsing or ingesting rules.</P><P>See if you are correctly parsing your logs and if there are the eventtypes to assign the correct tagging to your logs, so the DataModels are correctly populated.</P><P>Ciao.</P><P>Giuseppe</P> Mon, 11 Dec 2023 07:43:24 GMT https://community.splunk.com/t5/Knowledge-Management/Windows-Logs-in-Endpoint-data-model/m-p/671415#M9825 gcusello 2023-12-11T07:43:24Z https://community.splunk.com/t5/Knowledge-Management/Windows-Logs-in-Endpoint-data-model/m-p/671418#M9826 <P>I have configured the Endpoint data model logs with windows:security, system and registery logs. However, when i triggered the ESCU usecases, it's showing the events.</P> Mon, 11 Dec 2023 08:03:01 GMT https://community.splunk.com/t5/Knowledge-Management/Windows-Logs-in-Endpoint-data-model/m-p/671418#M9826 sinhashubham014 2023-12-11T08:03:01Z https://community.splunk.com/t5/Knowledge-Management/Windows-Logs-in-Endpoint-data-model/m-p/671424#M9827 <P>HI&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/263217">@sinhashubham014</a>&nbsp;,</P><P>which ESCU Use Cases are triggered?</P><P>Why isn't the result you want?</P><P>Ciao.</P><P>Giuseppe</P> Mon, 11 Dec 2023 09:05:04 GMT https://community.splunk.com/t5/Knowledge-Management/Windows-Logs-in-Endpoint-data-model/m-p/671424#M9827 gcusello 2023-12-11T09:05:04Z