Windows rare process by host

Goal

Detects unusually rare processes compared to other processes on the host, using a rare function that detest values that occur rarely on time or rarely for a population.

Description

Models occurrences of process activities on the host.

Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorised services, malware, or persistence mechanisms.

Processes are considered rare when they only run occasionally as compared with other processes running on the host.

Characteristics

Name

Rare process by host

Type

Windows

Data source

Windows Threat Hunting

Required fields

hostName

processName

userName

action

PreviousWindows anomalous user name NextHigh count network denies (outbound traffic)

Last updated 3 months ago