Threat Hunting • Room 1

Long-Tail Analysis

In security, the highest volume events are usually normal business operations. The "Long Tail" refers to the statistically rare, anomalous events.

If 10,000 users run `winword.exe`, that's normal. If only 1 user ever runs `psexec.exe`, that's an outlier worth a very close look.

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

Write an SPL query using `stats count by process_name` and sort it to show the *least* frequently executed processes at the very top.

Splunk Search Bar