WmiQueryInfo
WMI query events occur when a user or a service trigger a query on a system.
Property |
Type |
Description |
|---|---|---|
Query |
String |
A query was triggered in a system |
IsLocal |
Bool |
If false, a query was called from a remote machine (for example, using WbemTest) |
|
WmiQueryInfo |
|---|---|
WmiQuery |
X |
Example event:
<?xml version="1.0" encoding="utf-8"?> <rule> <definition> <operations> <operation type="WmiQuery"> <condition component="WmiQueryInfo" property="Query" condition="contains" value="win32_service" /> </operation> </operations> </definition> <description> <name>Example WMI query event</name> <explanation> This tag supports markdown and html syntax. It is also true for maliciousCauses, benignCauses and recommendedActions tags. </explanation> <maliciousCauses> Content of tags with HTML text must be surrounded with CDATA xml tag. </maliciousCauses> <category> Default </category> </description> </rule> |