Sysmon Event ID 21
21: WmiEventConsumerToFilter activity detected
This is an event from
Sysmon.
On this page
Free Security Log Resources by Randy
- Log Name
- Source
- Date
- Event ID
- Task Category
- Level
- Keywords
- User
- Computer
- Description
- EventType
- UtcTime
- Operation
- User
- Consumer
- Filter
Supercharger Free Edition
Centrally manage WEC subscriptions.
Free.
Log Name: Microsoft-Windows-Sysmon/Operational
Source: Microsoft-Windows-Sysmon
Date: 4/11/2018 9:27:02 AM
Event ID: 21
Task Category: WmiEventConsumerToFilter activity detected (rule: WmiEvent)
Level: Information
Keywords:
User: SYSTEM
Computer: rfsh.lab.local
Description:
WmiEventConsumerToFilter activity detected:
EventType: WmiBindingEvent
UtcTime: 2018-04-11 16:27:02.565
Operation: Created
User: LAB\rsmith
Consumer: "CommandLineEventConsumer.Name=\"BotConsumer23\""
Filter: "__EventFilter.Name=\"BotFilter82\""
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>21</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>21</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2018-04-11T16:27:02.565587100Z" />
<EventRecordID>63866</EventRecordID>
<Correlation />
<Execution ProcessID="7620" ThreadID="21880" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>rfsh.lab.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="EventType">WmiBindingEvent</Data>
<Data Name="UtcTime">2018-04-11 16:27:02.565</Data>
<Data Name="Operation">Created</Data>
<Data Name="User">LAB\rsmith</Data>
<Data Name="Consumer"> "CommandLineEventConsumer.Name=\"BotConsumer23\""</Data>
<Data Name="Filter"> "__EventFilter.Name=\"BotFilter82\""</Data>
</EventData>
</Event>
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection