LoFP LoFP / a newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert. network activity that occurs rarely, in small quantities, can trigger this alert. possible examples are browsing technical support or vendor networks sparsely. a user who visits a new or unique web destination may trigger this alert.

Sample rules

Unusual DNS Activity

Description

A machine learning job detected a rare and unusual DNS query that indicate network activity with unusual DNS domains. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon domain. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.

Detection logic

Unusual Process For a Windows Host

Description

Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.

Detection logic

Anomalous Process For a Windows Population

Description

Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.

Detection logic

Anomalous Process For a Linux Population

Description

Searches for rare processes running on multiple Linux hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.

Detection logic

Unusual Windows Service

Description

A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.

Detection logic

Unusual Process For a Linux Host

Description

Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.

Detection logic