How does SIEM determine what is and is not an uncommon process?
Hi @wwalker, the idea is to surface the processes that have occurred on the least amount of hosts the least amount of times. So if a process with that name has executed on just one out of all hosts just once, that would be displayed as the most "unusual" one.
The query for this is an aggregation on
process.name sorted by host cardinality first (cardinality of
host.name where this process name occurs) and number of documents second.