Machine-Learning

A machine learning job has detected a spike in bytes written to an external device, which is anomalous and can signal illicit data copying or transfer activities, potentially leading to data exfiltration.

A machine learning job has detected potential data exfiltration activity to an unusual geographical region, specifically by region name, indicating exfiltration over command and control channels.

A machine learning job has detected an unusually high file size shared by a remote host, indicating potential lateral movement as attackers bundle data into a single large file transfer to evade detection when exfiltrating valuable information.

A machine learning job detected an unusually high mean of RDP session duration, indicative of potential lateral movement or persistent access attempts by adversaries abusing RDP.

A machine learning job detected a suspicious Windows process, predicted malicious by the ProblemChild model and flagged as an unusual child process name for its parent, potentially indicating LOLbins usage and evading traditional detection.

An Elastic machine learning job detects anomalous remote file transfers to unusual directories, indicating potential lateral movement by attackers attempting to bypass standard security monitoring.

The ProblemChild machine learning model has detected a user with suspicious Windows processes exhibiting unusually high malicious probability scores, potentially indicating defense evasion via masquerading or LOLbins.

A machine learning job detected potential DGA (domain generation algorithm) activity indicative of malware command and control (C2) channels, identifying source IP addresses making DNS requests with a high probability of being DGA-generated, a technique used by adversaries to evade detection.

A machine learning job has identified a user performing privileged operations in Okta from an uncommon source IP, indicating potential privileged access activity indicative of account compromise or privilege escalation.

A machine learning job has identified an unusually high median command line entropy for privileged commands executed by a user on Linux systems, suggesting possible privileged access activity through command lines, indicating potential obfuscation or unauthorized use of privileged access.

An Elastic machine learning rule detects unusual remote file transfers with rare extensions, potentially indicating lateral movement activity on a host and suggesting adversaries bypassing security measures.

A machine learning job has detected high bytes of data written to an external device, potentially indicating illicit data copying or transfer activities leading to data exfiltration over a physical medium such as USB.

A machine learning job has identified an unusual spike in Okta group privilege change events, indicating potential privileged access activity where attackers might be elevating privileges by adding themselves or compromised accounts to high-privilege groups, enabling further access or persistence.

A machine learning job detected a suspicious Windows process, predicted to be malicious by the ProblemChild supervised ML model and found to be unusual within the user's context, potentially indicating defense evasion techniques like masquerading or the use of LOLbins.

The ProblemChild machine learning model detected a rare Windows process indicative of defense evasion, potentially involving LOLbins, on a host not commonly associated with malicious activity.

A machine learning job detected a user performing privileged operations in Windows from an uncommon source IP, potentially indicating account compromise or privilege escalation.

A machine learning job detects a rare process writing data to an external device, potentially indicating data exfiltration masked by benign-looking processes.

A machine learning job detects an abnormal volume of remote file transfers, potentially indicating lateral movement by attackers attempting to blend in with normal network egress activity.

A machine learning job detected a user performing privileged operations in Okta from an uncommon device, potentially indicating a compromised account or insider threat attempting privilege escalation.