Issue to trigger Alert when condition are met

[hmiezan]

Version

2.4.210

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

4

RAM

24

Storage for /

250

Storage for /nsm

200

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I did create a detection rule to capture the evendID 4720 and enabled it. I also created a local accoun to trigger it on my host with Elastic Agent installed, but not works...
her is my detection rules below

title: 'Detecting aLocal Account Creation Event'
id: 53a08578-f762-473a-aeb8-798f4c0da44b
status: 'experimental'
description: |
This will trigger when a local account is created on a windows endpoint, which trigger Event ID 4720
references:

• 'https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4720'
  author: 'Herve Miezan'
  date: '2026/03/14'
  tags:
• attack.persistense
• attack.t1136.001
  logsource:
  category: process_creation
  service: security
  product: windows
  detection:
  selection:
  EventID: 4720
  condition: selection
  level: 'high' # info | low | medium | high | critical

Did It missed something ?

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

When you convert and test in Kibana, does the rule match any events?