Filter Uncommon Host Processes

willemdh · September 3, 2019, 1:38pm

Hello,

Read here (Uncommon Processes) that the Uncommon Processes query is an aggregation on process.name sorted by host cardinality first (cardinality of host.name where this process name occurs) and number of documents second.

The result is that the list if full of processes from our Rundeck server, which generates a unique id for each job running.

Is there any way to prevent these processes from showing up in SIEM? They look like:

548-129241-loca
549-129241-loca
550-129241-loca

Grtz

Willem

willemdh · September 26, 2019, 10:08am

I'm assuming there is no way to exclude processes somehow in hte SIEM Host overview?

tudor · September 27, 2019, 11:05am

Sorry for missing to reply. No, there's no way to add some sort of global filter at the moment. It's something we would consider.

You can filter them out via the KQL bar, but that will be only for the current view.

I'll raise this with the team to see if we can think of a solution.

system · October 25, 2019, 11:05am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Uncommon Processes SIEM	2	1636	August 12, 2019
Whitelist processes in Uncommon Processes Elastic Security	5	571	July 19, 2021
Linux_anomalous_process_all_hosts_ecs apparently not only covering Linux, but full auditbeat SIEM elastic-stack-machine-learning	3	556	February 3, 2022
Can I change the primary key for identifying hosts in the SIEM app? SIEM	4	610	September 1, 2020
SIEM Hosts/All Hosts Tables Empty SIEM	12	2536	September 2, 2019

Filter Uncommon Host Processes

Related topics