Elastic Windows Event Explorer


Publisher - Microsoft-Windows-WMI-Activity

Event ID 23

Message:

CorrelationId = %{CorrelationId}; GroupOperationId = %{GroupOperationId}; OperationId = %{OperationId}; Commandline= %{Commandline}; CreatedProcessId = %{CreatedProcessId}; ClientMachine = %{CreatedProcessCreationTime}; User = %{ClientMachineFQDN}; ClientProcessId = %{User}

Event Data:

# Name In Type
Out Type
1 CorrelationId win:UnicodeString xs:string
2 GroupOperationId win:UInt32 xs:unsignedInt
3 OperationId win:UInt32 xs:unsignedInt
4 Commandline win:UnicodeString xs:string
5 CreatedProcessId win:UInt32 xs:unsignedInt
6 CreatedProcessCreationTime win:UInt64 xs:unsignedLong
7 ClientMachine win:UnicodeString xs:string
8 ClientMachineFQDN win:UnicodeString xs:string
9 User win:UnicodeString xs:string
10 ClientProcessId win:UInt32 xs:unsignedInt
11 ClientProcessCreationTime win:UInt64 xs:unsignedLong
12 IsLocal win:Boolean xs:boolean

Observed Windows Versions:

Version: 0

Fingerprint: ZKNNQSEKNUNOY