Alerting

Is it possible to create an alert in Splunk Enterprise if a command is run in CMD?

rodiers01
New Member

Is it possible in Splunk Enterprise to create an alert if someone were to run a command in MS-DOS?

Specifically I'm looking to create an alert if this command below is run in CMD

auditpol /clear /y

This is something a malicious actor would do so that auditing is turned off on the machine and then they can go about their business.

Thanks for any input

0 Karma

wenthold
Communicator

I believe you want to enable command line logging in Windows.

MS Docs on command line logging

0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...