SIEM & SOC fundamentals help

I am currently in the module “SIEM Visualization Example 4: Users added or removed from a local group (within a specific time period)” and I need to have the following configuration in elastic. The problem is that I’m not getting any results and I think the settings are fine. Could someone correct me?

My conf:

filters: “event.code: is one of 4732, 4733” “ administrators”
rows: username.keyword / winglog.event_data.MemberSid.keyword / / event.action.keyword /

PS: I can’t post images of the configuration because I am a new user on the forum.

My configuration:

SOLVED :smiley:

how did you manage to tackle this problem since I am having the same error

When you start the objective, if you notice, the dashboard is already created.

You just have to look at the date that is established and enter it in the format they request. :wink:

1 Like

thank you for getting back to me with an answer, you rock brother !