Hi folks, I'm very new to Elk and am attempting to help our Information Security office with a few tasks. Per our Information Security Office, applications must be approved prior to being installed on a computer. Unfortunately sometimes staff, or one of our users who have admin permissions, will install an unapproved app to Program files. Could someone please help me create a search string that can be used to find the person who entered their admin/privileged account to install something? Thanks in advance.
Welcome to our community! 
This will entirely depend on what data you are storing in Elasticsearch and from what sources.