- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2019 12:16 AM - edited 02-21-2020 11:04 AM
Hello,
We are implementing ISE PIC - Stealthwatch integration via pxGrid.
One of the requests is to create ISE PIC user with certain permissions to use DCOM and WMI root access, as depicted in a great instructions on the link.
Customer want to know which WMI root/CIMv2 commands does ISE PIC user executes while accessing the domain controllers?
Also, on Windows Server 2016 there are limitations on providing permissions for DCOM and WMI root/CIMv2 usage. While defining permissions for ISE PIC user on DC, there also needs to be defined on which part do permissions refer to. On the whole domain or on certain Application.
On the instruction link there is a registry key value for an App id 76A64158-CB41-11D1-8B02-00600806D9B6. Does permission need to reffer to just on this App id or on the entire DC?
Thanks you,
Miroslav Vucevski
Solved! Go to Solution.
Accepted Solutions

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-30-2019 08:02 AM
SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.LogFile = 'Security' AND (TargetInstance.EventIdentifier = 4768) AND (TargetInstance.EventType = '4')
Regards,
-Tim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-28-2019 05:59 PM - edited 04-28-2019 05:59 PM
ISE PassiveID WMI providers use WMI to query Kerberos events in the security event logs on the domain controllers. All the group membership, DCOM, WMI, and registry changes are to ensure that.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-30-2019 06:23 AM
Hello hslai,
Thank you for your reply.
As our customer is security aware and a little bit skeptic they are interested which commands does user executes under the WMI.
Do you have that information?
Thanks!

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-30-2019 08:02 AM
SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.LogFile = 'Security' AND (TargetInstance.EventIdentifier = 4768) AND (TargetInstance.EventType = '4')
Regards,
-Tim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-01-2019 05:26 AM
Hello Tim,
Thanks for the answer!
Kind regards,
Miroslav
