LoFP / this model is an anomaly detector that identifies usage of apis and scripting constructs that are correllated with malicious activity. these apis and scripting constructs are part of the programming langauge and advanced scripts may generate false positives.

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.original_file_name) as original_file_name values(Processes.action) as action values(Processes.parent_process_exec) as parent_process_exec values(Processes.parent_process_guid) as parent_process_guid values(Processes.parent_process_id) as parent_process_id values(Processes.parent_process_path) as parent_process_path values(Processes.process_exec) as process_exec values(Processes.process_guid) as process_guid values(Processes.process_hash) as process_hash values(Processes.process_id) as process_id values(Processes.process_integrity_level) as process_integrity_level values(Processes.process_name) as process_name values(Processes.process_path) as process_path values(Processes.user) as user  values(Processes.user_id) as user_id values(Processes.vendor_product) as vendor_product from datamodel="Endpoint.Processes" by Processes.parent_process_name Processes.process_name Processes.process Processes.user Processes.dest 
| `drop_dm_object_name(Processes)` 
| where len(process) > 200 
| `potentially_malicious_code_on_cmdline_tokenize_score` 
| apply unusual_commandline_detection 
| eval score='predicted(unusual_cmdline_logits)', process=orig_process 
| fields - unusual_cmdline* predicted(unusual_cmdline_logits) orig_process 
| where score > 0.5 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `potentially_malicious_code_on_commandline_filter`