Is it possible in Splunk Enterprise to create an alert if someone were to run a command in MS-DOS?
Specifically I'm looking to create an alert if this command below is run in CMD
auditpol /clear /y
This is something a malicious actor would do so that auditing is turned off on the machine and then they can go about their business.
Thanks for any input
I believe you want to enable command line logging in Windows.