odin13

Comments

Thanks! I had to change the query to the following: select alertname, lasterrortime, lasterror from AlertDefinitions where lasterror is Not NULL order by lasterrortime desc

in AlertCheckingThread WARN Error - Error in UpdateRowsThatAreReset() - Comment by odin13 May 2016
The 'Kill Suspicious Process' works fine indeed... Just make sure the 'Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit Process Tracking' option is enabled in GPO for the machine(s) you want to activate the rule.

in Mastering the filter/rule Creation Engine... Comment by odin13 October 2014