Please enable JavaScript to view this site.

Example 1: Logon Anomaly

The illustrations below show a possible configuration for an anomaly filter for event id 4624, which is logged by Windows when a user successfully logs on to a system. In this example the key value is, by design, always the same: NT AUTHORITY\System. The values are comprised of the logon type (a numerical number indicating the type of logon, e.g. console or RDP) as well as the user logging on. The left image shows the baseline for 5 logons with varying logon types, and 2 logons being considered anomalies. The right image shows the new baseline which incorporates the previously unknown logons.

 

Since the specified key value is always the same (NT AUTHORITY\System), this example essentially only looks at events in a single dimension - the user names and their associated logon types. Example 2 will analyze data in two dimensions since it connects processes with different user names.

 

filters_anomaly_logon_1

filters_anomaly_logon_2

 

clip0062

Anomaly Configuration

 

Example 2: Process Anomaly

This example attempts to detect processes which have not been executed before by a user. The configuration is similar to example one, except that it processes event id 4688 and will encounter dynamic values for the anomaly key.

 

The anomaly filters utilizes insertion strings 1 and 10 to create the key, this allows EventSentry to differentiate between processes that are launched as administrator from processes that are launched unprivileged. Insertion string number 6 is simply the path to the process itself. Since processes are now associated with their respective keys (users), launching a previously unknown process (e.g. systeminfo.exe) will set the anomaly flag each time that process is launched under a different user.

 

filters_anomaly_processes

 

Note that that the anomaly configuration is configured for "Separate Learning Period for new keys". This ensures that when a new users starts their first process, this user automatically gets a new learning period. Without this setting activated, any process started by a user after the initial learning period started, would be flagged as anomaly, resulting in many false positives.

 

clip0218

Anomaly Configuration