Sysmon Event ID 21


21: WmiEventConsumerToFilter activity detected

This is an event from Sysmon.

On this page


Free Security Log Resources by Randy

Description Fields in 21

  • Log Name
  • Source
  • Date
  • Event ID
  • Task Category
  • Level
  • Keywords
  • User
  • Computer
  • Description
  • EventType
  • UtcTime
  • Operation
  • User
  • Consumer
  • Filter

Supercharger Free Edition

Centrally manage WEC subscriptions.



Examples of 21

Log Name:       Microsoft-Windows-Sysmon/Operational
Source:         Microsoft-Windows-Sysmon
Date:           4/11/2018 9:27:02 AM
Event ID:       21
Task Category: WmiEventConsumerToFilter activity detected (rule: WmiEvent)
Level:          Information
User:           SYSTEM
Computer:       rfsh.lab.local
WmiEventConsumerToFilter activity detected:
EventType: WmiBindingEvent
UtcTime: 2018-04-11 16:27:02.565
Operation: Created
User: LAB\rsmith
Consumer:   "CommandLineEventConsumer.Name=\"BotConsumer23\""
Filter:   "__EventFilter.Name=\"BotFilter82\""
Event Xml:
<Event xmlns="">
    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
    <TimeCreated SystemTime="2018-04-11T16:27:02.565587100Z" />
    <Correlation />
    <Execution ProcessID="7620" ThreadID="21880" />
    <Security UserID="S-1-5-18" />
    <Data Name="EventType">WmiBindingEvent</Data>
    <Data Name="UtcTime">2018-04-11 16:27:02.565</Data>
    <Data Name="Operation">Created</Data>
    <Data Name="User">LAB\rsmith</Data>
    <Data Name="Consumer"> "CommandLineEventConsumer.Name=\"BotConsumer23\""</Data>
    <Data Name="Filter"> "__EventFilter.Name=\"BotFilter82\""</Data>

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection


Upcoming Webinars
    Additional Resources