ML Aggregation and Fields

mathurin68 · November 14, 2017, 12:14am

I have x-pack up and running and am collecting event logs containing windows and powershell command line activities.

Basically, I want to see the anomalies in command line activity.
I don't care about something like this
C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{??????????}
that happened over 900,000 times
I care about the 'anomalies', something like this as an example, that might have happened very few times -
psexec -i -s -d cmd.exe /c type test > C:\Windows\System32\backdoor.bat

Isn't this what it's designed for? I've been running it with 'Distinct Count' but I'm thinking that's not what I want, maybe 'low count'? But if I select 'low count' from Aggregation, there's nothing in Fields...

Questions -

Do I want 'low count'?
Why is there nothing in Fields for some of the 'Aggregation' options?

Yes, I am going through the machine learning course...

Appreciate any explanations!

dmitri · November 14, 2017, 10:31am

Hi,

I think what you are looking for is using categorization. Have a look here for more details. I hope it helps.

mathurin68 · November 15, 2017, 3:58am

Ah got it, thanks!

mathurin68 · November 22, 2017, 11:48pm

Alright I'm trying this but... I want to get the 'rare' of something, I'm not sure what

The categorization filter is supposed to take this from the windows command line -
"C:\frompath\frompath\Pulse.exe" -tray
to
Pulse.exe" -tray

I could have this totally wrong... I'm trying to detect items like this on the win cmd or ps cmd
START cmd.exe /c type test > c:\temp\backdoor.bat

Appreciate any input...thanks!

mathurin68 · November 23, 2017, 4:04am

Hmm, was just told by someone else that this isn't what I want to use, need to use 'rare' function. Alright, back to the drawing board!

system · December 21, 2017, 4:05am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.