Skip to main content

Hi guys,

I wrote a query that monitors for abnormal computer names joining my organization network. I had some success with those queries, but they still returns some false positives for me. How can I improve it?

| process eval("is_abnormal_computer_name = (machine != like('Computer_Name') AND machine != like('Computer_Name') AND machine != like('Computer_Name') AND machine != like('Computer_Name'))")

 

| process eval("is_abnormal_computer_name !=  like(machine, '^(name|name|name|name).*')")

 

I want the query to returns the computer names that are abnormal.

Be the first to reply!

Reply