Microsoft Windows

Monitor Windows data with the Splunk platform

How to get Windows data into your Splunk deployment

Windows data you can collect	Link to supporting documentation
Event Logs	Monitor Windows event log data with Splunk Enterprise
File system changes	Monitor file system changes on Windows
Active Directory	Monitor Active Directory
Data through the Windows Management Instrumentation (WMI) infrastructure	Monitor data through Windows Management Instrumentation (WMI)
Registry data	Monitor Windows Registry data
Performance metrics	Monitor Windows performance
Host information	Monitor Windows host information
Print information	Monitor Windows printer information
Network information	Monitor Windows network information

Powershell

Monitor Windows data with PowerShell scripts

How to Use PowerShell Transcription Logs in Splunk

[WinEventLog://Microsoft-Windows-PowerShell/Operational]
disabled = 0
renderXml = false
index = wineventlog
source = Microsoft-Windows-PowerShell/Operational
sourcetype = WinEventLog
evt_resolve_ad_obj = 1

[WinEventLog://Windows PowerShell]
disabled = 0
index=wineventlog

Microsoft Defender XDR

Splunk

[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
disabled = 0
renderXml = false
index = wineventlog
source = Microsoft-Windows-Windows Defender/Operational
sourcetype = WinEventLog
evt_resolve_ad_obj = 1