New EXE deployed via Default Domain or Default Domain Controller Policies ASIM Version

let known_processes = (
  imProcess
  // Change these values if adjusting Query Frequency or Query Period
  | where TimeGenerated between(ago(14d)..ago(1d))
  | where Process has_any ("Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}", "Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}")
  | summarize by Process);
  imProcess
  // Change these values if adjusting Query Frequency or Query Period
  | where TimeGenerated > ago(1d)
  | where Process has_any ("Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}", "Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}")
  | where Process !in (known_processes)
  | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname

id: 0dd2a343-4bf9-4c93-a547-adf3658ddaec
queryPeriod: 14d
severity: High
kind: Scheduled
query: |
  let known_processes = (
    imProcess
    // Change these values if adjusting Query Frequency or Query Period
    | where TimeGenerated between(ago(14d)..ago(1d))
    | where Process has_any ("Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}", "Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}")
    | summarize by Process);
    imProcess
    // Change these values if adjusting Query Frequency or Query Period
    | where TimeGenerated > ago(1d)
    | where Process has_any ("Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}", "Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}")
    | where Process !in (known_processes)
    | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname  
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: DvcHostname
  entityType: Host
triggerThreshold: 0
metadata:
  categories:
    domains:
    - Security - Threat Protection
  author:
    name: Pete Bryan
  source:
    kind: Community
  support:
    tier: Community
description: |
  'This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.
    A threat actor may use these policies to deploy files or scripts to all hosts in a domain.
    This query uses the ASIM parsers and will need them deployed before usage - https://docs.microsoft.com/azure/sentinel/normalization'  
name: New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)
relevantTechniques:
- T1072
- T1570
queryFrequency: 1d
requiredDataConnectors:
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvents
tactics:
- Execution
- LateralMovement
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies(ASIMVersion).yaml
version: 1.0.3

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0dd2a343-4bf9-4c93-a547-adf3658ddaec')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0dd2a343-4bf9-4c93-a547-adf3658ddaec')]",
      "properties": {
        "alertRuleTemplateName": "0dd2a343-4bf9-4c93-a547-adf3658ddaec",
        "customDetails": null,
        "description": "'This detection highlights executables deployed to hosts via either the Default Domain or Default Domain Controller Policies. These policies apply to all hosts or Domain Controllers and best practice is that these policies should not be used for deployment of files.\n  A threat actor may use these policies to deploy files or scripts to all hosts in a domain.\n  This query uses the ASIM parsers and will need them deployed before usage - https://docs.microsoft.com/azure/sentinel/normalization'\n",
        "displayName": "New EXE deployed via Default Domain or Default Domain Controller Policies (ASIM Version)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DvcHostname",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies(ASIMVersion).yaml",
        "query": "let known_processes = (\n  imProcess\n  // Change these values if adjusting Query Frequency or Query Period\n  | where TimeGenerated between(ago(14d)..ago(1d))\n  | where Process has_any (\"Policies\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\", \"Policies\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\")\n  | summarize by Process);\n  imProcess\n  // Change these values if adjusting Query Frequency or Query Period\n  | where TimeGenerated > ago(1d)\n  | where Process has_any (\"Policies\\\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\", \"Policies\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\")\n  | where Process !in (known_processes)\n  | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by Process, CommandLine, DvcHostname\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P14D",
        "severity": "High",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "LateralMovement"
        ],
        "techniques": [
          "T1072",
          "T1570"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}