ANALYSIS: Process Inventory
Kibana Dashboard: [INVENTORY] Processes

What is this baseline?β
The associated Kibana dashboard represents the baseline inventory of process executables observed within the DAL.
- A process entry consists of:
process.executable(primary identity)- One or more associated
host.hostnamevalues - One or more associated
user.namevalues - A derived
file.name(when extractable)
- Each row answers:
"Was this process observed present in the baseline inventory?"
- This is not an EDR timeline or process tree view:
- No parent/child relationships
- No execution frequency or duration
- No command-line history
- A single corroborated execution is sufficient to add a process to the baseline.
- Entries are deduplicated by process name
- Executables are normalized as full paths when available
- Processes are added when observed on a host correlated to the DAL
@timestampreflects when the process executable was last observed and written into the baseline
Data Prerequisitesβ
If any of these are missing or incorrect, the baseline is unreliable.
1. DAL / HOME_NET must be correctβ
- Derived from Zeek and/or Suricata
HOME_NET - Used to determine which hosts to use process data from
- Incorrect DAL β missing hosts and incomplete process coverage
2. Required telemetry sources (at least one)β
- Sysmon (process creation)
- Winlogbeat Security (Event ID
4688) - Auditbeat (
process) - Endgame (process telemetry)
- Metasponse
Survey Collector262 - [π₯Volatile Info] Processes
NOTE: Process visibility is host-telemetry driven.
Missing or uneven endpoint coverage will result in significant gaps.
Basic Analysis Workflowβ
1. Baseline sanity checkβ
Validate expected process population:
- Common OS and framework binaries dominate
- Known line-of-business applications appear
- Process count aligns with host count and role
Large process counts are normal; focus on what's unexpected, not volume.
2. Long-tail analysis (primary value)β
Focus on rare or low-context executables
- Executables seen on a single host
- Executables run by unexpected users
- Non-standard install paths
- User-writable directories (
AppData,Temp,Downloads)
Key questions
- Legitimate application or admin tool?
- Installer or update artifact?
- Living-off-the-land binary misuse?
- Custom or unauthorized executable?
Validate against:
- Known software inventory
- Expected admin tooling
- Vendor documentation
- Host owner or administrator confirmation
3. Host and user correlation reviewβ
Processes spanning many hosts
- Usually OS components or enterprise software
- Unexpected spread may indicate lateral tooling
Processes tied to single users
- Normal for user-space apps
- Suspicious if the user context is privileged
SYSTEM / service context
- Expected for core services
- Investigate if paired with non-standard paths
Correlation anomalies increase priority; they are not proof by themselves.
4. Export for reporting and diffingβ
Reporting and documentation requirements are determined by the Mission Element Lead/Crew Lead
Common exports
- Full Inventory table (CSV)
- Executables by host
- Executables by user
NOTE: These exports represent the declared process baseline for the mission period.
5. Enable baseline deviation detection ruleβ
Enabling too early guarantees noise - it will alert on ALL new inventory additions after enablement.
Detection rules can be managed in Kibana under Security β Rules
Rule: [262][Inventory] New process executable added to baselineβ
- Detection logic:
Alert when a new process executable is added to the baseline inventory
- Only enable after:
- Baseline window is complete
- Expected software is fully observed
- Long-tail process review is finished
- Ongoing alert tuning:
- Whitelist known installers and update artifacts
- Suppress expected admin tooling
- Validate whether the executable represents new capability or expected change
This rule is intended to catch:
- Malware binaries
- Unauthorized tools
- Persistence mechanisms introducing new executables