Windows anomalous process all hosts

Goal

Detects processes that occur rarely compared to other processes on all hosts, using a rare function that detest values that occur rarely on time or rarely for a population.

Description

Models the occurrences of processes on all hosts.

Searches for rare processes running on multiple hosts in an entire fleet or network.

This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.

Characteristics

Name

Windows anomalous process all hosts

Type

Windows

Data source

Windows Threat Hunting

Required fields

hostName

processName

userName

processExecutable

action

PreviousWindows anomalous network activity NextWindows anomalous user name

Last updated 3 months ago