Are you able to share a screenshot of your search options without leaking info?





It should be pretty straight forward. Do you need to maybe increase your time or the logs you’re searching?





What variations of your search string have you tried? Does regex search change anything?

i use the regex .* as the search string. I extended to the max time period and it is still the same

Mine works doing the above, assuming you tick the regex option when using .*





When you say you see 9 logs in your dashboard, do you mean UDM, Chronicle Dashboards or maybe an external source?

Chronicle dashboard indicates 9 sysmon events came in but then i do a raw event regex search with .*, it only returns 1 log event. I cant see what are the other 8 sysmon events that went into chronicle.