LoFP LoFP / some legitimate processes may be only rarely executed in your environment.

Techniques

Sample rules

Detect Rare Executables

Description

The following analytic detects the execution of rare processes that appear only once across the network within a specified timeframe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant for a SOC as it helps identify potentially malicious activities or unauthorized software, which could indicate a security breach or ongoing attack. If confirmed malicious, such rare processes could lead to data theft, privilege escalation, or complete system compromise, making early detection crucial for minimizing impact.

Detection logic


| tstats `security_content_summariesonly` dc(Processes.dest) as dc_dest values(Processes.dest) as dest values(Processes.user) as user min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.process_name 
| `drop_dm_object_name(Processes)` 
| search dc_dest < 10 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `detect_rare_executables_filter`