In the query "extend ProcessEntropy = -log2(PCoHValue/TPCoHValue)*(PCoHValue/TPCoHValue)" PCoHValue means the ProcessCountOnHost value.
Click on the arrows to vote for the correct answer
A. B.Correct Answer: A
Entropy calculation used to help identify Hosts where they have a high variety of processes (a high entropy process list on a given Host over time)
This helps us identify rare processes on a given Host.
Rare here means a process shows up on the Host relatively few times in the last 7days.
Reference:
The given query is using the "extend" operator in Kusto Query Language (KQL) to create a new column called "ProcessEntropy" and set its value using a mathematical formula.
The formula involves two variables, PCoHValue and TPCoHValue. The value of PCoHValue stands for ProcessCountOnHost value and TPCoHValue is the TotalProcessCountOnHost value.
The formula calculates the entropy of a process running on a particular host by dividing the ProcessCountOnHost value with the TotalProcessCountOnHost value and taking the negative logarithm of the result. The entropy value is then multiplied by the ratio of the ProcessCountOnHost value and TotalProcessCountOnHost value.
Therefore, the statement "PCoHValue means the ProcessCountOnHost value" is correct, and the answer is A. True.