Hi folks, I'm very new to Elk and am attempting to help our Information Security office with a few tasks. Per our Information Security Office, applications must be approved prior to being installed on a computer. Unfortunately sometimes staff, or one of our users who have admin permissions, will install an unapproved app to Program files. Could someone please help me create a search string that can be used to find the person who entered their admin/privileged account to install something? Thanks in advance.
Welcome to our community! 
This will entirely depend on what data you are storing in Elasticsearch and from what sources.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.