WMI Permanent Event Subscription
This search looks for the creation of WMI permanent event subscriptions.
WMI Permanent Event Subscription Help
To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational].
Open in Search