Valid Accounts: Local Accounts - Part 2 - working with Elastic Siem

Hello,
I am working in the subject lab - “Valid Accounts: Local Accounts” - Part 2 in Elastic. In step 6,
In the Search field, type event.code : 4688 AND process.name : net.exe and click the Update button to search for Windows Event 4688 “A new process have been created” where net.exe was executed. However, ELS does not recognize the search criteria. I typed this criteria several times and even tried variations. But still no luck. Why is this happening? Please advise. I have added a screenshot for your review.

Thank you.

image1910×807 170 KB

I just tested and this does work…

image1053×454 34.6 KB

I’m thinking that Part 1 took more than 30 minutes, which is ok. If you run into this again, just set the Date and Time to Last 24 hours

We do call this out:

image464×156 10.8 KB