Managed Sentinel – Alert 061

Alert IDMS-A061
Alert NameProcess execution frequency anomaly
DescriptionIdentifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors.
The query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.
Sudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.
Tune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.
Severity LevelMedium
Threat IndicatorUnauthorized Access
MITRE ATT&CK TacticsExecution
Log sourcesWindows
False PositivesUpdate management
Recommendations1. Investigate the impacted Windows machine via Azure Sentinel console
2. Understand if any suspicious network traffic was generated from the impacted machine during time when the process was running
3. Run an full EDR scan on the machine
4. Collect evidence in form of Windows audit, application and security logs