If the Windows collection is not configured correctly, it will not work. You can check if it is working from the Health & Wellness view or the Investigation view.
To verify that the Windows collection is working:
- In the Security Analytics menu, select Administration > Health & Wellness.
- In the Event Source Monitoring tab, find a Windows event source type (for example, winevent_nic) in the Event Source Type column.
- Look for activity in the Count column to verify that Windows collection is accepting events.
The following figure illustrates how you can verify that Windows collection is working from the Investigation> Events > view.
- In the Security Analytics menu, select Investigation > Events.
- Select the Log Decoder collecting Windows events in the Investigate a Service dialog.
- Look for a Windows service type in the Details column to verify that Windows collection is accepting events.