Views:

Users can manually add commonly-abused applications used in operations and processes to the Watchlist for strengthening security monitoring. By default, StellarProtect monitors Powershell.exe, wscript.exe, cscript.exe, mshta.exe, psexec.exe when the Operations Behavior Anomaly Detection is enabled.

  1. Go to Agents > Policy Inheritance, scroll down and find the Operations Behavior Anomaly Detection. Enable Operations Behavior Anomaly Detection by selecting Learn, Detect, or Enforce.
    Note:

    The default setting for Operations Behavior Anomaly Detection is Disable. If users don't enable Operations Behavior Anomaly Detection, the process monitoring will not be activated.

  2. In addition to the default applications that will be monitored by StellarProtect, if users need to add other applications for monitoring, please click the Watchlist link.
  3. The Watchlist window appears. Click +Add and then specify the application to be monitored.
  4. Click Add and the added application appears in the Monitored Application list.
  5. Click Close to close the window.
    Note:

    Users can delete the added application(s) by clicking the trash-can icon under the Actions.

  6. Users can check the Agent event logs to see if there's any anomalous operation or process detected. Please refer to Agent Events for more details.
Parent topic: Operations Behavior Anomaly Detection