Supported data sources in behavioral analytics service
Note: This topic applies only to customers on the Splunk Cloud platform.
Behavioral analytics service uses data sources to generate anomalies.
The following table identifies the source types supported by universal forwarders:
| Data source | Sourcetype for universal forwarder |
|---|---|
| Windows security logs |
XmlWinEventLog:Security
|
Windows event IDs supported in Splunk Behavioral Analytics
The following table summarizes the Microsoft Windows event IDs used by behavioral analytics service. See Configure Windows event logging to ensure the proper events are logged for instructions to properly log Microsoft Windows events.
| Event ID | Description | Supported for XmlWinEventLog |
|---|---|---|
| 4103 | Windows license activation failed | Yes |
| 4104 | PowerShell script block logging | Yes |
| 4624 | An account was successfully logged on | Yes |
| 4625 | An account failed to log on | Yes |
| 4648 | A logon was attempted using explicit credentials | Yes |
| 4661 | A handle to an object was requested | Yes |
| 4662 | An operation was performed on an object | Yes |
| 4663 | An attempt was made to access an object | Yes |
| 4670 | Permissions on an object were changed | Yes |
| 4673 | A privileged service was called | Yes |
| 4688 | A new process has been created | Yes |
| 4689 | A process has exited | Yes |
| 4720 | A user account was created | Yes |
| 4723 | An attempt was made to change an account's password | Yes |
| 4726 | A user account was deleted | Yes |
| 4756 | A member was added to a security | Yes |
| 4757 | A member was removed from a security | Yes |
| 4768 | A Kerberos authentication ticket (TGT) was requested | Yes |
| 4769 | A Kerberos service ticket was requested | Yes |
| 4771 | Kerberos pre-authentication failed | Yes |
| 4776 | The domain controller attempted to validate the credentials for an account | Yes |