Hi all,
I am testing out Elasticsearch security rule: User added to Privileged Group in Active Directory:
User Added to Privileged Group in Active Directory | Elastic Security Solution [7.17] | Elastic
I have an active directory running and winlogbeat setup to receive windows events. As per the Rule indices i have setup the index pattern "winlogbeat-*" and when i added an AD user to "Domain Admins" group, i can see the event id 4728 for user added to privileged group being recorded in the Discover tab for index pattern "winlogbeat-*" but the security rule doesn't seem to pick it up or show any response although it is enabled.
Will like some advice if i am missing out on any settings. Thanks!