WMI Permanent Event Subscription

Description

This search looks for the creation of WMI permanent event subscriptions.

   Help

WMI Permanent Event Subscription Help

To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational].

   Search

Open in Search