exclude legitimate (vetted) use of wmi event subscription in your network

source: <a href=https://github.com/SigmaHQ/sigma/blob/master/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml>sigma
technicques: t1546 t1546.003

Techniques

Detects creation of WMI event subscription persistence method

condition: selection
selection:
  EventID:
  - 19
  - 20
  - 21