Question about searching winlog events

mnv_1 · July 23, 2019, 12:45pm

Hello!
I'm using latest winlogbeat with ECS and its shipping security events in Elasticsearch. I've created a local user on Windows machine without password and get error, that password does not compline with local policies.
In windows event viewer I see three events:

event_id = 4720 - user created.
event_id = 4729 - user was removed from a security-enabled global group.
event_id = 4726 - user deleted.

If i create user correctly I have only one event with id 4720 and its fine.
How can I filter out "wrong created" users using elasticsearch query?

system · August 20, 2019, 12:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Winlogbeat event id missing Beats winlogbeat	5	510	January 17, 2022
Detecting Active Directory Activity Beats winlogbeat	3	34	July 20, 2024
Console use to find new accounts created Elastic Security	1	327	July 9, 2021
Elastic Query for alerts Windows Elasticsearch	1	317	February 1, 2022
Help with Winlogbeat and filtering computer accounts Elasticsearch	1	250	December 30, 2021

Question about searching winlog events

Related topics