Detects unusually rare processes compared to other processes on the host, using a rare function that detest values that occur rarely on time or rarely for a population.
Description
Models occurrences of process activities on the host.
Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorised services, malware, or persistence mechanisms.
Processes are considered rare when they only run occasionally as compared with other processes running on the host.
