Elasticsearch security rule and alert testing

Hi all,

I am testing out Elasticsearch security rule: User added to Privileged Group in Active Directory:

User Added to Privileged Group in Active Directory | Elastic Security Solution [7.17] | Elastic

I have an active directory running and winlogbeat setup to receive windows events. As per the Rule indices i have setup the index pattern "winlogbeat-*" and when i added an AD user to "Domain Admins" group, i can see the event id 4728 for user added to privileged group being recorded in the Discover tab for index pattern "winlogbeat-*" but the security rule doesn't seem to pick it up or show any response although it is enabled.

Will like some advice if i am missing out on any settings. Thanks!

Hey @MarcTan,

Could you please share JSON of the original event document that you see in Discover.

Also, just to confirm, you are on version 7.17, correct?

Hi,

Yes my version is 7.17, i am unable to share the JSON document as it resides in the protected network of my organisation, but i have verified the following:

event.category: ["iam"]
event.action: "added-member-to-group"
group.name: "Domain Admins"
_index: "winlogbeat-7.17.17-2025.01.10-000001"

Winlogbeat version is 7.17.17, Kibana version is 7.17.23