Which term detects anomalous application use on endpoints?

Detecting anomalous application use on endpoints is best achieved through proactive, human-led investigation that looks for unusual behavior across devices. A Threat Hunting Service does this by continuously analyzing endpoint telemetry for deviations from normal patterns—things like unexpected process launches, unknown executables, or unusual privilege activity—and then validating whether those signals indicate real threats. This approach targets behavior that may slip past automated rules and can catch stealthy or previously unseen attacks. Indicators of Attack are specific clues that suggest a compromise after something has happened, rather than a proactive, ongoing search for unusual activity. Decoy files are lure items used to trap or study attackers, not a monitoring capability. Living-off-the-Land Techniques describe how attackers use legitimate tools, which is about attacker methods rather than a service that detects anomalies. So the Threat Hunting Service is the most fitting option for detecting anomalous application use on endpoints.