Process Execution Frequency Anomaly

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

This detection identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors. The query leverages KQL's built-in anomaly detection algorithms to find large deviations from baseline patterns. Sudden increases in execution frequency of sensitive processes should be further investigated for malicious activity. Tune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.

Attribute	Value
Type	Analytic Rule
Solution	Windows Security Events
ID	2c55fe7a-b06f-4029-a5b9-c54a2320d7b8
Severity	Medium
Status	Available
Kind	Scheduled
Tactics	Execution
Techniques	T1059
Required Connectors	SecurityEvents, WindowsSecurityEvents
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
SecurityEvent	EventID == "4688"	✓	✓	?

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Analytic Rules · Back to Windows Security Events