Since you did technically answer my question correctly 🙂 I did not phrase it correctly. I mean't to view windows security events that could possibly be malware.. not specifically malware events.. Thanks!

Correct, and those anomalies is what our security analyst would look at to determine the root cause and determine whether or not it is possibly intrusive activity. You'd be able to correlate with several other users' machines to determine what is an anomaly and what is normal activity.

As a Splunker, I suppose that I ought to suggest that you log all events from all software products and use full packet capture too 🙂 However, there's still a question about what you'll do with that data. ES is good at telling you that there are anomalies in flows of data, but you've still got to apply the subject matter expertise to know if that's malware behavior or something else. It won't tell you "this thing is malware that your EPP vendor doesn't know about", it will tell you "this is weird".

What about malware events that do not get detected by anti-malware software. I think that is the benefit of Enterprise security, the ability to track down these threats before they become "known" malware