I have x-pack up and running and am collecting event logs containing windows and powershell command line activities.
Basically, I want to see the anomalies in command line activity.
I don't care about something like this
that happened over 900,000 times
I care about the 'anomalies', something like this as an example, that might have happened very few times -
psexec -i -s -d cmd.exe /c type test > C:\Windows\System32\backdoor.bat
Isn't this what it's designed for? I've been running it with 'Distinct Count' but I'm thinking that's not what I want, maybe 'low count'? But if I select 'low count' from Aggregation, there's nothing in Fields...
Do I want 'low count'?
Why is there nothing in Fields for some of the 'Aggregation' options?
Yes, I am going through the machine learning course...
Appreciate any explanations!