ML Aggregation and Fields

I have x-pack up and running and am collecting event logs containing windows and powershell command line activities.

Basically, I want to see the anomalies in command line activity.
I don't care about something like this
C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{??????????}
that happened over 900,000 times
I care about the 'anomalies', something like this as an example, that might have happened very few times -
psexec -i -s -d cmd.exe /c type test > C:\Windows\System32\backdoor.bat

Isn't this what it's designed for? I've been running it with 'Distinct Count' but I'm thinking that's not what I want, maybe 'low count'? But if I select 'low count' from Aggregation, there's nothing in Fields...

Questions -

  1. Do I want 'low count'?

  2. Why is there nothing in Fields for some of the 'Aggregation' options?

Yes, I am going through the machine learning course...

Appreciate any explanations!


I think what you are looking for is using categorization. Have a look here for more details. I hope it helps.

Ah got it, thanks!

Alright I'm trying this but... I want to get the 'rare' of something, I'm not sure what

The categorization filter is supposed to take this from the windows command line -
"C:\frompath\frompath\Pulse.exe" -tray
Pulse.exe" -tray

I could have this totally wrong... I'm trying to detect items like this on the win cmd or ps cmd
START cmd.exe /c type test > c:\temp\backdoor.bat

Appreciate any input...thanks!

Hmm, was just told by someone else that this isn't what I want to use, need to use 'rare' function. Alright, back to the drawing board!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.