User Account Creation rule not being triggered

I currently have a self hosted Elastic instance with the Elastic Agent deployed across one Windows Active Directory Domain Controller and a member Windows 10 VM.

When I create a user either on the Domain Controller (as a domain user) or a local user on the Windows 10 VM, neither are being detected by the default User Account Creation rule. Looking at the logs, I can see the Windows event is present in Elastic and if I create a custom rule based on the detection of Windows Event ID 4720 and this works as expected across both domain and local users.

Is this expected or am I doing something wrong?

Hi @tridentalpha! I've already had some adjustment problems in prebuild elastic rules where I need to clone the rule and make the necessary changes, for example, add an index that didn't include the events I would like to map.

What rule did you notice not matching? Did you see, in Kibana > Discover, if the event.code fields are coming right? Remembering that the elastic agent uses the index logs-*

As a last resort, I suggest duplicating the rule and adjusting to your scenario.