Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score triggering on all kinds of normal processes

willemdh · April 25, 2025, 2:38pm

Hello,

I activated "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score" and "Living off the Land Attack Detection" and followed the procedure.

It seems to be triggering on a lot of my usual / normal processes. For example opening brave and then opening a new tab always triggers a blocklist_label of 1.

Am I doing something wrong or is it normal that this triggers so frequently with a "High Malicious Probability Score"?

I'm using the latest version 2.4.0 in Elastic Security Serveless.

Willem

system · May 23, 2025, 2:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
ML Unsupervised question SIEM	3	423	February 6, 2023
How to reduce false/positives for prebuilt Windows Security ML jobs? SIEM	1	49	March 14, 2025
Trigering Alerts for Machine learning Jobs SIEM	3	148	August 1, 2024
Linux_anomalous_process_all_hosts_ecs apparently not only covering Linux, but full auditbeat SIEM elastic-stack-machine-learning	3	569	February 3, 2022
Notification from machine learning job per anomaly score SIEM	1	140	May 8, 2024

Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score triggering on all kinds of normal processes

Related topics