Skip Navigation

BlackBerry Optics
WMI-based detection events

These events occur when a Detection Event that includes a Windows Management Instrumentation (WMI) Process artifact is triggered.
Field
Value
Description
Consumer Text
[varies]
Text (commonly the command to be executed) associated with a WMI event
Consumer Text Length
[varies]
Length of the observed Consumer Text field
Description
[varies]
Name of the Detection Rule that was triggered
Device Id
[varies]
Unique ID for the device
Device Name
[varies]
Name of the device on which the Detection Event occurred
Event Id
[varies]
Unique ID for the Detection Event
Event Name
OpticsCaeWmiEvent
Detection Event involved a WMI connection
Event Type
OpticsCaeWmiEvent
Detection Event involved a WMI connection
Instigating Process ImageFileSha256
[varies]
SHA256 hash of the process that instigated the action
Instigating Process Name
[varies]
Name of the process that instigated the action
Instigating Process Owner
[varies]
User who owns the process that instigated the action
Operation
[varies]
WMI operation that was executed. Commonly a binding creation, a filter creation, or a consumer creation
Operation Length
[varies]
Length of the observed Operation field
Severity
[varies]
Severity of the event:
  • High: A malicious event that requires immediate attention.
  • Medium: A suspicious event that should be reviewed.
  • Low: An important event, but may not be malicious.
  • Info: An observed event.
Zone Names
[varies]
Zones that the device belongs to
Example message for WMI-based detection events
9/27/19 0:45:43 Syslog.Warning 10.6.27.126 1 2019-09-27T00:45:39.6710000Z sysloghost CylancePROTECT - - [Optics2.4SyslogTesting] Event Type: OpticsCaeWmiEvent, Event Name: OpticsCaeWmiEvent, Device Name: DEV-01, Zone Names: (Windows 10,10.45.*), Event Id: 65e46a05-181a-4d87-adef-b84f4732031a, Severity: Informational, Description: Basic WMI Permanent Subscriber Rule, Instigating Process Name: svchost.exe, Instigating Process Owner: NT AUTHORITY//SYSTEM, Instigating Process ImageFileSha256: 29F04D5F4B8D798038CB9647178A8B9C68E16DC50DA850937F6E993FC7967B75, Consumer Text: "E:\\\\Test.vbs";, Consumer Text Length: 17, Operation: Binding EventFilter: instance of __EventFilter{ CreatorSID = {1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, Operation Length: 731, Device Id: 340d587c-1bbe-41d0-a330-24b12584fadc