Hi,

Windows has the capability to show the command line run for a given process in the logs. Sentinel captures this as it is in the event if enabled in Windows but it doesn't break it out into a variable you can search, alert or report on. Is this possible to capture?

Example:

A new process has been created.

Subject:

Security ID: WIN-R9H529RIO4Y\Administrator
Account Name: Administrator
Account Domain: WIN-R9H529RIO4Y
Logon ID: 0x1fd23

Process Information:

New Process ID: 0xed0
New Process Name: C:\Windows\System32\notepad.exe
Token Elevation Type: TokenElevationTypeDefault (1)
Mandatory Label: Mandatory Label\Medium Mandatory Level
Creator Process ID: 0x8c0
Creator Process Name: c:\windows\system32\explorer.exe
Process Command Line: C:\Windows\System32\notepad.exe c:\sys\junk.txt <------ this is not broken out into a variable you can use