Do you get any results when you run this search?
eventtype=msad-admin-audit NOT src_nt_domain="NT AUTHORITY"|
This is the search that populates the Acount Domain and Administrator drop down menus.
The EventType msad-admin-audit relies on data from the following nested eventtypes. If you're not getting data back from these searches, then there is a problem with your data ingestion.
eventtype=msad-group-changes
eventtype=msad-nt5-group-changes
sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security
(EventCode=631 OR EventCode=634 OR EventCode=635 OR EventCode=638 OR EventCode=639 OR EventCode=641 OR EventCode=648 OR EventCode=649 OR EventCode=652 OR EventCode=653 OR EventCode=654 OR EventCode=657 OR EventCode=658 OR EventCode=659 OR EventCode=662 OR EventCode=663 OR EventCode=664 OR EventCode=667 OR EventCode=668)
eventtype=msad-nt6-group-changes
sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security
(EventCode=4727 OR EventCode=4730 OR EventCode=4731 OR EventCode=4734 OR EventCode=4735 OR EventCode=4737 OR EventCode=4744 OR EventCode=4745 OR EventCode=4748 OR EventCode=4749 OR EventCode=4750 OR EventCode=4753 OR EventCode=4754 OR EventCode=4755 OR EventCode=4758 OR EventCode=4759 OR EventCode=4760 OR EventCode=4763 OR EventCode=4764)
eventtype=msad-groupmembership-changes
eventtype=msad-nt5-groupmembership-changes
sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security
(EventCode=632 OR EventCode=633 OR EventCode=636 OR EventCode=637 OR EventCode=650 OR EventCode=651 OR EventCode=655 OR EventCode=656 OR EventCode=660 OR EventCode=661 OR EventCode=665 OR EventCode=666)
eventtype=msad-nt6-groupmembership-changes
sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security
(EventCode=4728 OR EventCode=4729 OR EventCode=4732 OR EventCode=4733 OR EventCode=4746 OR EventCode=4747 OR EventCode=4751 OR EventCode=4752 OR EventCode=4756 OR EventCode=4757 OR EventCode=4761 OR EventCode=4762)
eventtype=msad-computer-changes
eventtype=msad-nt5-computer-changes
sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security
(EventCode=645 OR EventCode=646 OR EventCode=647)
eventtype=msad-nt6-computer-changes
sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security
(EventCode=4741 OR EventCode=4742 OR EventCode=4743)
eventtype=msad-user-changes
eventtype=msad-nt5-user-changes
sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security
(EventCode=624 OR EventCode=625 OR EventCode=626 OR EventCode=628 OR EventCode=629 OR EventCode=630 OR EventCode=642 OR EventCode=671 OR EventCode=685 OR EventCode=807) user!="*$"
eventtype=msad-nt6-user-changes
sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security
(EventCode=4720 OR EventCode=4722 OR EventCode=4724 OR EventCode=4725 OR EventCode=4726 OR EventCode=4738 OR EventCode=4767 OR EventCode=4781 OR EventCode=4912) user!="*$"
eventtype=msad-account-lockout
eventtype=msad-nt5-account-lockout
sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security EventCode=644
eventtype=msad-nt6-account-lockout
sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security EventCode=4740
eventtype=msad-account-unlock)
eventtype=msad-nt5-account-unlock
sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security EventCode=671
eventtype=msad-nt6-account-unlock
sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security EventCode=4767
... View more
