Came across this after pulling my beard out - followed the stock instructions and data seemed to be indexed. However the detection and dashboards drew blanks.
The key for me was "index=*" - that clued me in. It was just the indexes that were being searched by default.
Settings > Access Controls > Roles > Admin > Indexes searched by default (I added msad, permon and winevents)
The detection was then much more successful and I'm seeing data in the dashboards. Some tweaking required, but still!
... View more