i would like to used this rule : Suspicious Scripting in a WMI Consumer
by editing the rules, i anderstand that detection works with Destination’s field, but during the detector creation, i don’t have this field and i didn’t have any alert during field mapping step.
my question is how works field detection and field requirement
which tool to use to retrieve data for this sigma’s rule
(actually i used winlogbeat/sysmon/packetbeat)
thanks for yours explanations