Forum Discussion
MicrosoftShare Your Hunting Challenges!
Tracking the Adversary series was just awesome, thanks for sharing this level of knowledge for free!
I want to detect when a user starts to use a new application/process. The scenario is like below:
A user uses normal applications like excel, word, etc. daily. Then, the same user suddenly starts using a new application/tool on day X. He/she uses the application during that day several times, and stops using it. There are also other users using the same application/tool but those users use it daily as it's their job. I have no information about any of the users and the application/tool itself. When I try to hunt for this scenario, I get resource usage error or the query just gets stopped because of high cpu usage. Maybe you want to cover this "rare process seen on an endpoint" scneario.