The Windows default event log configuration may not generate log data for the events you need. Therefore, it's a best practice to review the Recommended Audit Policies by Operating System on the Microsoft website and make the required changes for your deployment.
If you're new to collecting Windows endpoint event log data with the Splunk platform, then review Monitor Windows event log data in the Getting Data In manual and Getting data into Splunk from Windows endpoints
Configure Windows event log audit policy and event logs to capture the correct event
Changing your Windows event log audit policy impacts the event log traffic. If you need to change the audit policy, use the Group Policy feature or the configuration management tools of your choice. To see an example of using the group policy objects (GPO), see the Step-By-Step: Enabling Advanced Security Audit Policy via DS Access blog post on the Microsoft | TelNet website.
See Collecting basic Windows event log data for best practices for collecting Windows endpoint log data with the Splunk platform.
Go beyond the default audit policy
Change the default settings to the baseline or stronger audit policy settings to meet the needs of your deployment. Configure non-standard logging to meet your security use case requirements. For example, if
your corporate policy prohibits using a USB or external devices, then enable the Audit Removable Storage. For example, see Monitor the use of removable storage devices on the Microsoft website.
Verify your changes
Consider testing the changes before adding them to your production environment. To test the changes, view the event logs to ensure the required messages display or review the related Microsoft documentation to find a procedure to verify your changes.