Process-Level Anomaly
| Id | 3fa85f64-5717-4562-b3fc-2c963f66afa6 |
| Rulename | Process-Level Anomaly |
| Description | Triggers an incident when the same process name appears in 50 or more alerts across multiple devices, suggesting widespread activity. |
| Severity | Medium |
| Tactics | Execution DefenseEvasion |
| Techniques | T1059 T1204 |
| Required data connectors | MorphisecCCF |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Morphisec/Analytic Rules/MorphisecProcessLevelAnomaly.yaml |
| Version | 1.0.0 |
| Arm template | 3fa85f64-5717-4562-b3fc-2c963f66afa6.json |
MorphisecAlerts_CL
| where threatMessageArrivalTime >= ago(24h)
| summarize
AlertCount = dcount(id),
DeviceCount = dcount(hostname)
by application
| where AlertCount >= 50 and DeviceCount > 1
incidentConfiguration:
groupingConfiguration:
lookbackDuration: 5h
enabled: false
reopenClosedIncident: false
matchingMethod: AllEntities
createIncident: true
id: 3fa85f64-5717-4562-b3fc-2c963f66afa6
query: |
MorphisecAlerts_CL
| where threatMessageArrivalTime >= ago(24h)
| summarize
AlertCount = dcount(id),
DeviceCount = dcount(hostname)
by application
| where AlertCount >= 50 and DeviceCount > 1
description: |
'Triggers an incident when the same process name appears in 50 or more alerts across multiple devices, suggesting widespread activity.'
requiredDataConnectors:
- connectorId: MorphisecCCF
dataTypes:
- Morphisec
tactics:
- Execution
- DefenseEvasion
status: Available
queryFrequency: 1d
queryPeriod: 1d
suppressionEnabled: false
triggerOperator: gt
kind: Scheduled
name: Process-Level Anomaly
customDetails:
ProcessName: application
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Morphisec/Analytic Rules/MorphisecProcessLevelAnomaly.yaml
version: 1.0.0
eventGroupingSettings:
aggregationKind: SingleAlert
relevantTechniques:
- T1059
- T1204
suppressionDuration: 5h
severity: Medium
triggerThreshold: 0