Elastic Windows Event Explorer


Publisher - Microsoft-Windows-WMI-Activity

Event ID 11

Message:

CorrelationId = %{CorrelationId}; GroupOperationId = %{GroupOperationId}; OperationId = %{OperationId}; Operation = %{Operation}; ClientMachine = %{ClientMachine}; User = %{User}; ClientProcessId = %{ClientProcessId}; NamespaceName = %{ClientProcessCreationTime}

Event Data:

# Name In Type
Out Type
1 CorrelationId win:UnicodeString xs:string
2 GroupOperationId win:UInt32 xs:unsignedInt
3 OperationId win:UInt32 xs:unsignedInt
4 Operation win:UnicodeString xs:string
5 ClientMachine win:UnicodeString xs:string
6 ClientMachineFQDN win:UnicodeString xs:string
7 User win:UnicodeString xs:string
8 ClientProcessId win:UInt32 xs:unsignedInt
9 ClientProcessCreationTime win:UInt64 xs:unsignedLong
10 NamespaceName win:UnicodeString xs:string
11 IsLocal win:Boolean xs:boolean

Observed Windows Versions:

Version: 0

Fingerprint: XT4WEGO2TND3W