Operations Behavior Anomaly Detection Section

Views:

The following table lists the parameters to configure StellarProtect or StellarProtect (Legacy Mode) Operations Behavior Anomaly Detection exclusions.

Operations Behavior Anomaly Detection Section Parameters

Parameter

Settings

Value

Description

Obad: Container for the Operations Behavior Anomaly Detection exceptions list

ScriptOperation: Container for the Policy-based Watchlist settings in Operations Behavior Anomaly Detection

AnomalyDetection

Id

<Integer>

Used to specify the list of monitored process or script.

Note

Please do not repeat the same number.

MonitoredProcess

<process_path>

Used to specify commonly-abused applications.

Note

By default, the agent monitors the specific high-risk applications such as Powershell.exe, wscript.exe, cscript.exe, mshta.exe, and psexec.exe.

Account: Container for the Poilicy-based Approved Login Accounts in Operations Behavior Anomaly Detection

AccountConfigByPassed

Domain

<domain>

Use to specify the domain from where the user logs in

User

<user name>

Use to specify the user name of the logged-in user

IpAddress

<ip address>

Use to specify the IP address from where the user logs in

LogonType

<logon type>

Use to specify the logon type

CreatedTime

<timestamp>

The timestamp when the exclusion setting is configured

SystemOperation: Container for the Policy-based Approved Applications in Operations Behavior Anomaly Detection

SystemOperationConfigByPassed

Path

<file_path>

Use a file or folder path to specify the application that will be excluded from monitoring

<folder_path>

PathType

PATH_TYPE_FOLDER

Use the folder path to specify the files within the folder that will be excluded from monitoring

PATH_TYPE_FILE

Use the file path to specify the file that will be excluded from monitoring

CreatedTime

<timestamp>

The timestamp when the exclusion setting is configured