Splunk® Enterprise Security

Administer Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. To resolve redirect errors, you must use the version selector on the ES documentation homepage to navigate between the versions.

Supported data sources in behavioral analytics service

This topic applies only to customers on the Splunk Cloud platform.

Behavioral analytics service uses data sources to generate anomalies.

The following table identifies the source types supported by universal forwarders:

Data source Sourcetype for universal forwarder
Windows security logs XmlWinEventLog:Security


Windows event IDs supported in Splunk Behavioral Analytics

The following table summarizes the Microsoft Windows event IDs used by behavioral analytics service. See Configure Windows event logging to ensure the proper events are logged for instructions to properly log Microsoft Windows events.

Event ID Description Supported for XmlWinEventLog
4103 Windows license activation failed Yes
4104 PowerShell script block logging Yes
4624 An account was successfully logged on Yes
4625 An account failed to log on Yes
4648 A logon was attempted using explicit credentials Yes
4661 A handle to an object was requested Yes
4662 An operation was performed on an object Yes
4663 An attempt was made to access an object Yes
4670 Permissions on an object were changed Yes
4673 A privileged service was called Yes
4688 A new process has been created Yes
4689 A process has exited Yes
4720 A user account was created Yes
4723 An attempt was made to change an account's password Yes
4726 A user account was deleted Yes
4756 A member was added to a security Yes
4757 A member was removed from a security Yes
4768 A Kerberos authentication ticket (TGT) was requested Yes
4769 A Kerberos service ticket was requested Yes
4771 Kerberos pre-authentication failed Yes
4776 The domain controller attempted to validate the credentials for an account Yes
Last modified on 06 June, 2025
Create an identity lookup from your cloud service provider data in Splunk Enterprise Security   Configure Windows event logging to ensure the proper events are logged

This documentation applies to the following versions of Splunk® Enterprise Security: 8.1.0

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters