rare

It's a pretty popular search command and it is used in all sorts of situations. Below are some really cool searches that use rare along with other search commands.

Find Rare Processes (windows)

sourcetype=winregistry | rare process_image

purpose:

find rarely seen windows processes. might indicate custom malware.

requirements:

winregistry data

comments: