Use a wmi's detection rule


i would like to used this rule : Suspicious Scripting in a WMI Consumer

by editing the rules, i anderstand that detection works with Destination’s field, but during the detector creation, i don’t have this field and i didn’t have any alert during field mapping step.

my question is how works field detection and field requirement
which tool to use to retrieve data for this sigma’s rule
(actually i used winlogbeat/sysmon/packetbeat)

thanks for yours explanations

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.