After reading through a few SANS resources, I came across some interesting topics regarding the detection of rare processes to help pin point malicious applications running on a host; from this, I decided to create an EPL rule to baseline processes on Windows hosts and alert if any processes deviated from the norm.
The principle behind this rule is to profile every Windows host in the estate and keep track of the processes which run on said hosts, should they diverge from the average they are declared as rare and an alert is generated for analysts to investigate; the rule is written in a way to learn what is normal within a specific environment and baseline accordingly.
The following meta keys need to be indexed for the below rule to work:-
Other than that, deploy the rule and you're good to go!
The EPL Rule
CREATE WINDOW winProcess.win:time(31 days) (theDay int, event_computer string, process string, counter int);
@Name('Insert into Window')
on Event(process IS NOT NULL AND event_computer IS NOT NULL)
WHERE Event.process = winProcess.process AND Event.event_computer = winProcess.event_computer AND current_timestamp.getDayOfWeek() = winProcess.theDay
then update set counter = counter + 1
when not matched then INSERT
SELECT current_timestamp.getDayOfWeek() as theDay, event_computer, process, 1 as counter;
SELECT * FROM winProcess as original
WHERE counter <= 0.2* (
SELECT avg(counter) FROM winProcess as recent
WHERE original.theDay = recent.theDay and original.event_computer = recent.event_computer);