Detecting Process Anomalies

EventSentry can detect process anomalies with its anomaly detection feature, which works by creating a database of known insertion string combinations.

For example, to detect process anomalies, event id 4688 can be used to create a baseline of all parent-child process activity on a network:

or by correlating the user-process activity (both the creator & target user are combined here) - which is the default in EventSentry:

It's up to the user to decide which approach fits better, although the 2nd approach - while more secure - will usually result in more noise since each user essentially gets their own baseline.

EventSentry ships with the Process Start anomaly filter in the Security Processes package, anomalies are configured with the Anomaly button on the general tab of a filter:

The filter excludes a number of processes to reduce false positives and has a default learning period of 1 week. This means that EventSentry will learn common processes for one week after which it will alert on previously unseen processes.

Once an event is deemed an anomaly, it can trigger the "Require Acknowledgment" flag which can be used in combination with the Acknowledge tile or the requireacknowledge:True search syntax on the event log page.

The easiest way to review anomalies is with the Acknowledge Tile along with a RegEx pattern, which will extract only the necessary text from the somewhat verbose 4668 event.

An example of the dashboard tile along with its configuration are shown below:

Query:
log:Security AND id:4688 AND NOT message:*rundll32*

(common noise can be excluded here as well as in the management console)

RegEx:
(?:Creator Subject:(?s).*?Security ID|New Process Name|Creator Process Name|Process Command Line):\s*(.*)