KQL Search

Query Details

HomeAI ToolsDevice Query

WMI Event Consumer

Query

Tags:

Query:

 DeviceEvents  | where ActionType == 'WmiBindEventFilterToConsumer'
 | where AdditionalFields !contains "SCM Event Log Filter" and AdditionalFields !contains "CCM_PolicyReplicationConsumer"
| extend parsed =  parse_json(AdditionalFields)
| where parsed.Namespace == @"//./root/subscription" and  parsed.PossibleCause !contains @"Win32_Processor" and  parsed.Ess != @"DellCommandPowerManagerAlertEventFilter" and  parsed.Ess != @"DellCommandPowerManagerPolicyChangeEventFilter"

References:

Explanation

This query is looking at device events to identify specific Windows Management Instrumentation (WMI) activities. Here's a simplified breakdown:

  1. Filter for Specific Action: It starts by selecting events where the action type is 'WmiBindEventFilterToConsumer'.
  2. Exclude Certain Fields: It excludes events that contain "SCM Event Log Filter" or "CCM_PolicyReplicationConsumer" in their additional fields.
  3. Parse JSON: It then parses the 'AdditionalFields' column as JSON to make it easier to work with.
  4. Further Filtering: Finally, it filters the parsed data to:
    • Only include events in the namespace "//./root/subscription".
    • Exclude events where the possible cause contains "Win32_Processor".
    • Exclude events where the 'Ess' field is either "DellCommandPowerManagerAlertEventFilter" or "DellCommandPowerManagerPolicyChangeEventFilter".

In essence, this query is narrowing down to specific WMI events while excluding certain known benign events.

Details

Ali Hussein profile picture

Ali Hussein

Released: October 11, 2023

Tables

DeviceEvents

Keywords

DeviceEvents

Operators

DeviceEvents|where==!containsextend=parse_jsonand!=

Actions