"AD Security Logs" Log Set Not Populating

Hi there,

We are not getting any logs in the “AD Security Logs” log set of our IDR instance. We have IDR collecting logs via WMI from our Domain Controller and are receiving logs in the Active Directory Admin Activity, Asset Authentication, and Host to IP Observations log sets, but we are not receiving logs in the “AD Security Logs” checkbox under each of those sections.


There isn’t much information regarding this issue in Microsoft’s or R7’s docs, so I was curious if this is an issue that someone has seen before and found a fix for.

Any help here would be much appreciated, thank you!

If those buckets exist then there has been some logs to them at one point in time. However the time frame that you’re currently looking in could be empty. What does the event source itself say?