I'm trying to set up the detection rule called "Privilege Escalation via Windir Environment Variable" but the data that this rule relies upon isn't getting to elastic. I've made sure to have everything set up correctly, and yet I'm not receiving the desired logs.
Here's my checklist to ensure a sensible setup for this AFAIK:
- Sysmon Operational toggle in the windows integration settings is ON.
- Default sysmon config.
- Relevant fields are indeed in the index mappings.
- Local logs, reveal that everything is correctly being logged in event viewer -- Microsoft-Windows-Sysmon/Operational
Since it is mentioned in the related integrations section, I added elastic defend as well to see if that would fix anything. That did add some registry events but nothing that is relevant to the rule. Furthermore, the only events that are getting fetched are automatic system changes. Anything manual I try for testing purposes doesn't appear in elastic at all.
Has anyone experienced something similar? Are there known ways to fix this?