Just wondering if anyone has seen this. We are now including Windows Security event information in sentinel via the security events connector. I was surprised to see that the clipboard history service came up as an alert under "SVCHOST was observed running a rare service group." I did check the file and the process and they are all legit (from my POV). Why would a via well known, well used MS dll trip this alert?