Anomalous Process For a Linux Population

Last updated a year ago on 2024-06-18

Created 5 years ago on 2020-03-25

About

Searches for rare processes running on multiple Linux hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.

Tags

Domain: EndpointOS: LinuxUse Case: Threat DetectionRule Type: MLRule Type: Machine LearningTactic: Persistence

Severity

low

Risk Score

MITRE ATT&CK™

Persistence (TA0003)(opens in a new tab or window)

↳ Create or Modify System Process (T1543)(opens in a new tab or window)

False Positive Examples

A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Machine Learning

Integration Pack

Prebuilt Security Detection Rules

Related Integrations

auditd_manager(opens in a new tab or window)

endpoint(opens in a new tab or window)

Query

Install detection rules in Elastic Security

Detect Anomalous Process For a Linux Population in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).