@acfecondo75 , @PavelP Thank you, your answers are vere interesting! I have a question in addition: how to modify Splunk rule "Audit - Anomalous Audit Trail Activity Detected - Rule" so that it takes the shutdown event into consideration? This rule uses Audit model and stats and no other EventIds are listed. | from datamodel:"Change"."Auditing_Changes" | where ('action'="cleared" OR 'action'="stopped") | stats max(_time) as "lastTime",latest(_raw) as "orig_raw",count by "dest","result" | rename "result" as "signature"
... View more