Views:

By default, Stellar agents monitor Powershell.exe, wscript.exe, cscript.exe, mshta.exe, and psexec.exe when the Operations Behavior Anomaly Detection "Detect" or "Enforce" mode is enabled with the Script Behavior toggled on. In addition to the default monitored applications, you can also manually add commonly-abused applications used in operations and processes to the Policy-based Watchlist for strengthening security monitoring.

See the following instructions for how to add applications to the Policy-based Watchlist.

  1. Go to Agents > Policy, scroll down and find the Operations Behavior Anomaly Detection pane. Select Operations Behavior Anomaly Detection Learn, Detect, or Enforce.
  2. Toggle on the Script Behavior.
  3. Click Script Behavior to expand this section.
  4. Find and click the Policy-based Watchlist.
  5. Click +Add and then specify the application to be monitored.
  6. Click Add and the added application appears in the Monitored Application list.
  7. Click Close to close the window.
    Tip:

    To delete the added application one by one, click the Delete icon in the Actions column; to delete multiple applications, click the checkboxes next to them and then click Delete > Confirm.

Parent topic: Policy-based Watchlist and Approved Items