Show when a monitor or a span/rspan is setup or modified.
- QRadar AQL
SELECT 'CmdSet' from events where LOGSOURCENAME(logsourceid) ilike '%cisco%' and (search_payload ilike '%monitor capture point%' or search_payload ilike '%set span%' or search_payload ilike '%set rspan%')- Splunk
("monitor capture point" OR "set span" OR "set rspan") | table CmdSet- Elastic Query
\*.keyword:(*monitor\ capture\ point* OR *set\ span* OR *set\ rspan*)- EDR Carbon Black
(monitor capture point OR set span OR set rspan)- Windows PowerShell
Get-WinEvent | where {($_.message -match "monitor capture point" -or $_.message -match "set span" -or $_.message -match "set rspan") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message- RegEx
^(?:.(?:.monitor capture point|.set span|.set rspan))