I'm testing the SIEM solution along with Winlogbeat to send event logs and sysmon logs.
When viewing the premade alerts, dashboards and more I feel like certain events should be there but do not show. For example starting powershell and executing cmd.exe and then starting tasklist. These should create at least two alerts according to the configured alerts and even using the query to search for all instances of powershell processes I can't seem to find any.
I am guessing this is because of the current audit policy on the machine not being configured to audit the specific things needed.
So this leads me to the question, how should Windows Auditing be configured to make best use of the platform?