Views:

You can manually add commonly-abused applications used in operations and processes to the Watchlist for strengthening security monitoring. By default, StellarProtect monitors Powershell.exe, wscript.exe, cscript.exe, mshta.exe, and psexec.exe when the Operations Behavior Anomaly Detection is enabled.

  1. Go to Agents > Policy Inheritance, scroll down and find the Operations Behavior Anomaly Detection pane. Enable Operations Behavior Anomaly Detection by selecting Learn, Detect, or Enforce.
    Note:

    The default setting for Operations Behavior Anomaly Detection is Disable. If you don't enable Operations Behavior Anomaly Detection, the process monitoring will not be activated.

  2. In addition to the default applications that will be monitored by StellarProtect, if you need to add other applications for monitoring, please click the Watchlist link.
  3. The Watchlist window appears. Click +Add and then specify the application to be monitored.
  4. Click Add and the added application appears in the Monitored Application list.
  5. Click Close to close the window.
    Note:

    To delete the added application one by one, click the Delete icon in the Actions column; to delete multiple applications, click the checkboxes next to them and then click Delete > Confirm.

  6. You can check the Agent event logs to see if there's any anomalous operation or process detected. See Agent Events for more details.
Parent topic: Operations Behavior Anomaly Detection