I'm a newbe and I try to configure Security Essential to search "net user /DOMAIN" discovery on my AD server.
I've installed an UniversalForwarder into AD with sysmon and configured input.conf with following entries
[WinEventLog://Security] checkpointInterval = 5 current_only = 0 disabled = 0 start_from = oldest
[WinEventLog://Microsoft-Windows-Sysmon/Operational] checkpointInterval = 5 current_only = 0 disabled = 0 start_from = oldest
If I run a simple search using index=* "net.exe" AND " user*" AND "*/do*"
I get result from source WinEventLog:Microsoft-Windows-Sysmon/Operational
while If I use Analytic Story: Domain Account Discovery With Net App that use datamodel Endpoint, no events returned. It seems that event in data model are only from source WinEventLog:Security
What I miss ?
... View more