Prohibited Software On Endpoint

Description

This search looks for applications on the endpoint that you have marked as prohibited.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Unauthorized Software

Alert Volume

This search looks for applications on the endpoint that you have marked as prohibited.

SPL Difficulty

None

Journey

Stage 3

Kill Chain Phases

Installation
Command and Control
Actions On Objectives

Data Sources

Endpoint Detection and Response

   Help

Prohibited Software On Endpoint Help

To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. This is typically populated via endpoint detection-and-response products, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is usually generated via logs that report process tracking in your Windows audit settings. In addition, you must also have only the process_name (not the entire process path) marked as "prohibited" in the Enterprise Security interesting processes table. To include the process names marked as "prohibited", which is included with ES Content Updates, run the included search Add Prohibited Processes to Enterprise Security.

   Search

Open in Search