Find Rare Processes (windows)

sourcetype=winregistry | rare process_image

purpose:

find rarely seen windows processes. might indicate custom malware.

requirements:

winregistry data

comments:

Detect Account Sharing

…. | stats dc(src_ip) as ip_count by user

purpose:

Detect Users who login from multiple IP's / User account Sharing

requirements:

Login logs with Username + Source IP field extractions

comments:

  • … - first search for something, maybe with logon/login etc. and review if there are the proper logs for logins and field extractions that are working
  • Do stats to show the distinct count of different source ip's used per user | stats dc(src_ip) as ip_count by user