Closed HarishHary closed 3 years ago
Their might be a mismatch between 2 log definition related to WMI events.
For example: Sysmon EventID: 20
Sysmon EventID: 20
https://github.com/OTRF/OSSEM/blob/a47073b4a9fd51198880d87976d589fde9b03e1f/source/data_dictionaries/windows/sysmon/events/event-20.yml
WMI EventID: 5861 https://github.com/OTRF/OSSEM/blob/a47073b4a9fd51198880d87976d589fde9b03e1f/source/data_dictionaries/windows/etw-providers/Microsoft-Windows-WMI-Activity/events/event-5861.yml
WMI EventID: 5861
wmi_consumer_type vs CONSUMER wmi_consume_name vs ESS
wmi_consumer_type
CONSUMER
wmi_consume_name
ESS
We might need to extract and modify fields from the built-in. But I believe that most of the info are present on the EventID: 5861. Was it done on purpose?
EventID: 5861
Their might be a mismatch between 2 log definition related to WMI events.
For example:
Sysmon EventID: 20https://github.com/OTRF/OSSEM/blob/a47073b4a9fd51198880d87976d589fde9b03e1f/source/data_dictionaries/windows/sysmon/events/event-20.yml
WMI EventID: 5861https://github.com/OTRF/OSSEM/blob/a47073b4a9fd51198880d87976d589fde9b03e1f/source/data_dictionaries/windows/etw-providers/Microsoft-Windows-WMI-Activity/events/event-5861.ymlwmi_consumer_typevsCONSUMERwmi_consume_namevsESSWe might need to extract and modify fields from the built-in. But I believe that most of the info are present on the
EventID: 5861. Was it done on purpose?