Hello all,
New to IDR. I would like to query all windows endpoints in a given ad ou or OS version to monitor activity for a given windows service, say for example print spooler over a period of time. Figuring out leql as I go but I’m not about that life (yet) 
. Any pointers here, or is this the wrong toolset to be using? Thanks!
What are you try to achieve? You should be able to do this with the default endpoint telemetry data collected. For example:
where(“parent_process.exe_file.internal_name” = “spoolsv.exe”) groupby(“process.cmd_line”)
This will give you a list of commands run where the parent process is Windows print spooler. If you want the literal windows event logs, you can ingest them directly. Make sure you pay attention to the warning, if you try to import all event logs from all devices the volume of data is going to get out of control really fast. You can read how to do it here: Generic Windows Event Log | InsightIDR Documentation