CylanceOPTICS WMI-based detection events
CylanceOPTICSWMI-based detection events
These events occur when a detection event that includes a
WindowsManagement Instrumentation (WMI) process artifact is triggered. Note that some fields will include command line values that can include commas and colons.
BlackBerryrecommends that you review and test the parsing of these values by your SIEM or syslog server.
This is the text associated with a WMI event. This is typically the command to be executed.
Consumer Text Length
This is the length of the observed consumer text field.
This is the name of the detection rule that was triggered.
Detection Rule Id
This is the unique detection rule ID.
This is the unique ID of the device.
Device Last Reported Users
These are last reported device users.
This is the name of the device that the detection event occurred on.
This is the unique ID of the detection event.
This is the detection event involved a WMI connection.
Event Received Timestamp
This is the timestamp of when the event was received by
This is the timestamp of the event that occurred on the device.
This is the detection event involved in a WMI connection.
Instigating Process Command Line
This is the command line that was used to start the instigating process.
Instigating Process File Path
This is the file path of the instigating process executable.
Instigating Process ImageFileSha256
This is the SHA256 hash of the process that instigated the action.
Instigating Process Name
This is the name of the process that instigated the action.
Instigating Process Owner
This is the user that owns the process that instigated the action.
This is the WMI operation that was executed. This is typically a binding creation, a filter creation, or a consumer creation.
This is the length of the observed operation field.
The severity of the event:
This is a list of zone IDs that the device belonged to at the time of the event.
These are the zones that the device belongs to.
Example message for WMI-based detection events
Event Type: OpticsCaeWmiEvent, Event Name: OpticsCaeWmiEvent, Device Name: JEFWILLIAMS-1, Zone Names: (JeffTesting,Jeff_3.0), Event Id: 9fa208e5-779d-40b1-b4e2-44c330600396, Severity: Medium, Description: SYSLOG detections - Looking for WmiTrace select, Instigating Process Name: WmiPrvSE.exe, Instigating Process Owner: NT AUTHORITY//NETWORK SERVICE, Instigating Process ImageFileSha256: B5C78BEF3883E3099F7EF844DA1446DB29107E5C0223B97F29E7FAFAB5527F15, Event Timestamp: 2022-06-28T18:09:55.613Z, Event Received Timestamp: 2022-06-28T18:09:57Z, Device Last Reported Users: (RIMNET\jefwilliams), Zone Ids: (F568A8A8E401470282C1FE98FDD1703C,24362CB3F25D4EB59C03FD6E3800C20E), Detection Rule Id: f83b1ac8-b966-4297-be47-bb893bf23f2d, Instigating Process Command Line: C:\WINDOWS\system32\wbem\wmiprvse.exe-secured-Embedding, Instigating Process File Path: c:\windows\system32\wbem\wmiprvse.exe, Consumer Text: None, Consumer Text Length: 0, Operation: Start IWbemServices::CreateInstanceEnum - root\Standardcimv2 : MSFT_NetIPAddress, Operation Length: 80, Device Id: c6246140-bba5-4c55-be02-77300bf91dbc