We wonder whether the WinEventLog can be applied to the Endpoint datamodels.
It seems to us that -
Endpoint.Process fits greatly win event id 4688 (A new process has been created).
Endpoint.Service could be populated with win event ID 4697 (A new service was installed)
However Source types for the Splunk Add-on for Windows lists for the CIM data models -
Application State, Authentication, Change Analysis, Performance, Updates and Vulnerabilities, while Application State is listed as deprecated.
Yes, and you can use this to help:
Splunk App for Enterprise Security and Windows Security log
Purpose of the app is:
Fix things the default Splunk Windows apps break
Fill the Enterprise Security Datamodels