As @deepakc already pointed out - you can't find something that isn't there so unless some external source reports those events to Splunk, Splunk doesn't know about it. While you might try to set up some forms of auditing in Windows alone you'll typically end up with either too little information or too much (you can of course even set up procmon to run all the time and try to ingest its output but that's... not very convenient). And that's why you end up paying big bucks for DLP systems (which can have the nice feature of enforcing policy, not just detecting when someone violates it). ... View more