WMI Permanent Event Subscription
This search looks for the creation of WMI permanent event subscriptions.
This content is not mapped to any local saved search. Add mapping
WMI Permanent Event Subscription Help
To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational].
Open in Search