Query not matching Alerts

[CameronWP]

Hi:

I have a query that is working fine as a dashboard but when I set it as an alert it isn't accurate. Here is the query:

EventID: 7045 and ((ServiceName: "WCESERVICE" or ServiceName: "WCE SERVICE") or (ImagePath: "PSExec") or (ImagePath: "winexesvc.exe") or (ImagePath: "DumpSvc.exe") or (ServiceName: "mssecsvc2.0") or (ImagePath: " *net user * ") or (ServiceName: "pwdump" or ServiceName: "gsecdump" or ServiceName: "cachedump"))

It tests fine in the dashboard and has no hits. When I set the alert it returns almost 60000 results in a 5 minute check window.

Thanks!

[cdienger]

Which version of NLS is this? Does it return proper results if you make a new alert from the dashboard? It is possible to edit the alert query so that it actually is running something differing from the dashboard query(changes to the alert query don't get pushed to the dashboard query).

Please provide screenshots showing the query and filters on the dashboard as well as a screenshot of the alert settings and query if the above doesn't help fix things.

[CameronWP]

Thanks for the reply. I used filters rather then how I was doing it and it worked fine. Thanks!

[cdienger]

Thanks for the update!