Console use to find new accounts created

Good Afternoon. I have now been using and testing Elastic Stack for over a month and have been able to get pretty far in it. I am working with WinLogBeats, FileBeats and MetricBeats (All at version 7.12.1)now and one of the SRTMs that I need to answer is the ability to monitor account creation/deletion.

To that end I have created a new user account on my test machine. I know the time and date that I created the account, I have the Event Viewer log with the information regarding the process name, the Log group (Security) and the event id.

in terms of ELK configuration I have the xpack.monitoring.collection.enabled;
xpack.security.enabled; (in ElasticSearch.yml)
xpack.security.authc.api_key.enabled (in ElasticSearch.yml)

WinLogBeats is running and generating data every day. I am trying to run a code similar to the following, but I know I am missing something that will bring up the information I am looking for.

Get WinlogBeat*/_search
{
"query": {
"match": {
"Event": "????"
}
}
}
}
I have tried multiple combinations and cannot get any data.

If anyone can point me in the direction I should be going it would be greatly appreciated.

Thank you

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.