Hello!
I use rule for checking Sysmon logs
'''any where event.code == 1 and process.executable: "C:\Windows\System32\sc.exe" '''
The rule is working, but it checks all existing indexes.
And my ELK is very loaded. How can I create a time filter for this rule?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
