Process-Access.md

Process Access Use Cases

Grouped by Detection Method

Observe general process behavior with the goal of understanding normal and detecting anomalies. Use of multiple visualizations, tables, and aggregation methods is recommended. Any confirmed malicious behavior from this use case should be considered as a foundation for a new alert.

Aggregate Count

Blacklist Alert

• Process accesses %WINDIR%\System32\lsass.exe

Whitelist Alert

Levenshtein Score Alert

Rolling Whitelist Alert

• Newly observed Source Process and Destination Process

Shannon Entropy Score Alert

Threshold Alert

Log Source Examples

• Sysmon Event ID 10

Possible False Positives