Detect Rare Executables

Description

This search will return a table of rare processes, the names of the systems running them, and the users who initiated each process.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Unauthorized Software

Alert Volume

This search will return a table of rare processes, the names of the systems running them, and the users who initiated each process.

SPL Difficulty

None

Journey

Stage 3

Kill Chain Phases

Installation
Command and Control
Actions On Objectives

Data Sources

Endpoint Detection and Response

   Help

Detect Rare Executables Help

To successfully implement this search, you must be ingesting data that records process activity from your hosts and populating the endpoint data model with the resultant dataset. The macro filter_rare_process_whitelist searches two lookup files to whitelist your processes. These consist of rare_process_whitelist_default.csv and rare_process_whitelist_local.csv. To add your own processes to the whitelist, add them to rare_process_whitelist_local.csv. If you wish to remove an entry from the default lookup file, you will have to modify the macro itself to set the whitelist value for that process to false. You can modify the limit parameter and search scheduling to better suit your environment.

   Search

Open in Search