I have created a build rule:
reference.id ='4624' && ec.activity="Logon" && device.type='winevent_nic' && logon.type !='3' && logon.type !='5'
Based on that rule i have created reports and schedule it to run daily at 23:45 so i can have activity from: 18:00 (
past day) - 07:45 ( That day).But i have noticed that i do not get the result correct. I now users that have been logged at 19:00but there are not showing at report.Please any advice ?
hello, question here. is your event detected? and date timestamp is parsed?
Hello. yes we are receiving logs from our AD with windows events. Even with the time stamp