LoFP / it is uncommon for normal users to execute a series of commands used for network discovery. system administrators often use scripts to execute these commands. these can generate false positives.

| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT Processes.user IN ("","unknown") by Processes.dest Processes.process_name Processes.parent_process_name Processes.user _time 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `drop_dm_object_name(Processes)` 
| search `system_network_configuration_discovery_tools` 
| transaction dest connected=false maxpause=5m 
|where eventcount>=5 
| table firstTime lastTime dest user process_name process parent_process parent_process_name eventcount 
| `detect_processes_used_for_system_network_configuration_discovery_filter`