How does SIEM determine what is and is not an uncommon process?
Hi @wwalker, the idea is to surface the processes that have occurred on the least amount of hosts the least amount of times. So if a process with that name has executed on just one out of all hosts just once, that would be displayed as the most "unusual" one.
The query for this is an aggregation on process.name
sorted by host cardinality first (cardinality of host.name
where this process name occurs) and number of documents second.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.