Unusual Windows Security Event (Unusual - Event Code, Process, Directory, LoginType, ReturnCode, Domain)

Description

This is a catch all anomaly for unusal Windows Security Events. This can contain things like: rare process, rare resource, or even a rare process name for a given process. This anomaly is based on user baseline and enterprise baseline.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection, Security Monitoring, Insider Threat

Category

Endpoint Compromise, Lateral Movement, Malware

Alert Volume

Medium

Journey

Stage 4

MITRE ATT&CK Tactics

Execution

MITRE ATT&CK Techniques

Execution

Data Sources

Windows Security