Filter Uncommon Host Processes

willemdh · September 3, 2019, 1:38pm

Hello,

Read here (Uncommon Processes) that the Uncommon Processes query is an aggregation on process.name sorted by host cardinality first (cardinality of host.name where this process name occurs) and number of documents second.

The result is that the list if full of processes from our Rundeck server, which generates a unique id for each job running.

Is there any way to prevent these processes from showing up in SIEM? They look like:

548-129241-loca
549-129241-loca
550-129241-loca

Grtz

Willem

willemdh · September 26, 2019, 10:08am

I'm assuming there is no way to exclude processes somehow in hte SIEM Host overview?

tudor · September 27, 2019, 11:05am

Sorry for missing to reply. No, there's no way to add some sort of global filter at the moment. It's something we would consider.

You can filter them out via the KQL bar, but that will be only for the current view.

I'll raise this with the team to see if we can think of a solution.

system · October 25, 2019, 11:05am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.