Managed Sentinel – Alert 061
|Alert Name||Process execution frequency anomaly|
|Description||Identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors. |
The query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.
Sudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.
Tune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.
|Threat Indicator||Unauthorized Access|
|MITRE ATT&CK Tactics||Execution|
|False Positives||Update management|
|Recommendations||1. Investigate the impacted Windows machine via Azure Sentinel console|
2. Understand if any suspicious network traffic was generated from the impacted machine during time when the process was running
3. Run an full EDR scan on the machine
4. Collect evidence in form of Windows audit, application and security logs