How to enable collection Process command line for windows server

yongda · ‎Feb 05 2023

I tried to search for “process command line” detail in Window event ID 4688 via Sentinel.

However, it seems that Sentinel is not recording the “process command line” log.

How can I enable the collection of “process command line” in Window event?

Clive_Watson · ‎Feb 06 2023

Do you have CommandLine entries?

SecurityEvent
| where EventID ==4688
| distinct CommandLine

There are lost of examples: https://github.com/Azure/Azure-Sentinel/search?l=YAML&q=4688

yongda · ‎Feb 06 2023

How do I enable CommandLine entries?

Clive_Watson · ‎Feb 07 2023

You should need to, how are you bringing these in, do you use MMA or AMA (maybe AMA is excluding the columns you need in the DCR?)

https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/testing-the-new-version-of-the-window...

How to enable collection Process command line for windows server

How to enable collection Process command line for windows server

Re: How to enable collection Process command line for windows server

Re: How to enable collection Process command line for windows server

Re: How to enable collection Process command line for windows server

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

How to enable collection Process command line for windows server