Hi!
Hope can you guide me. I have several agents deployed and we have test local authentications and that events are not present in InisghtIDR even if I search by search log.
Another questios is the Insight Angent for IDR is the same that InisghtAnget for InisghtVM?
Tnk you all.
The agent is the same across IDR and IVM yes.
As for the local auth events, have you looked in asset authentication for the name of the machine like
where(hostname,loose)
if you are looking for a login from a specific user you could try
where(hostname AND user , loose)
The loose ensures case insensitive and partial match, so if the hostname actually appear in the log as the fqdn it would still match if you just search the short name.
David