Hi,
trying to create exclusion for alert "AntiVirus Enumeration via WMI query [E1119]", configuring query and (ideally) also invoking process which is pangphip.exe in this case. Below is query i tried but it does not work (this syntax works for CodeInjection operation type but not for WmiQuery). If i remove FileItem condition, leaving only Query condition, it works. Process is svchost.exe and parent is services.exe, other ancestors are purged. Any idea how to change syntax to state i need? Thanks.
<definition>
<operations>
<operation type="WmiQuery">
<operator type="and">
<condition component="WmiQueryInfo" property="Query" condition="contains" value="select displayname,instanceguid,productstate,timestamp from antivirusproduct" />
<condition component="FileItem" property="FileName" condition="is" value="pangphip.exe" />
</operator>
</operation>
</operations>
</definition>