Forum Discussion
How to enable collection Process command line for windows server
I tried to search for “process command line” detail in Window event ID 4688 via Sentinel.
However, it seems that Sentinel is not recording the “process command line” log.
How can I enable the collection of “process command line” in Window event?
- Do you have CommandLine entries?
SecurityEvent
| where EventID ==4688
| distinct CommandLine
There are lost of examples: https://github.com/Azure/Azure-Sentinel/search?l=YAML&q=4688- How do I enable CommandLine entries?
- You should need to, how are you bringing these in, do you use MMA or AMA (maybe AMA is excluding the columns you need in the DCR?)
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/testing-the-new-version-of-the-windows-security-events-connector/ba-p/2483369
