Sep 23 2019 10:21 PM
Hi All,
Just wondering if anyone has seen this. We are now including Windows Security event information in sentinel via the security events connector. I was surprised to see that the clipboard history service came up as an alert under "SVCHOST was observed running a rare service group." I did check the file and the process and they are all legit (from my POV). Why would a via well known, well used MS dll trip this alert?
Anythoughts?
Sep 26 2019 02:44 AM
Hello @jlouden is this your own alert, or one of the built-in ones - if so which one?
Oct 01 2019 05:12 PM
Hi @CliveWatson
This is an inbuilt out of the box alert. The query string is