Process-Level Anomaly
| Id | 3fa85f64-5717-4562-b3fc-2c963f66afa6 |
| Rulename | Process-Level Anomaly |
| Description | Triggers an incident when the same process name appears in 50 or more alerts across multiple devices, suggesting widespread activity. |
| Severity | Medium |
| Tactics | Execution DefenseEvasion |
| Techniques | T1059 T1204 |
| Required data connectors | MorphisecCCF |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Morphisec/Analytic Rules/MorphisecProcessLevelAnomaly.yaml |
| Version | 1.0.0 |
| Arm template | 3fa85f64-5717-4562-b3fc-2c963f66afa6.json |
MorphisecAlerts_CL
| where threatMessageArrivalTime >= ago(24h)
| summarize
AlertCount = dcount(id),
DeviceCount = dcount(hostname)
by application
| where AlertCount >= 50 and DeviceCount > 1
triggerOperator: gt
incidentConfiguration:
groupingConfiguration:
matchingMethod: AllEntities
enabled: false
reopenClosedIncident: false
lookbackDuration: 5h
createIncident: true
requiredDataConnectors:
- connectorId: MorphisecCCF
dataTypes:
- Morphisec
relevantTechniques:
- T1059
- T1204
query: |
MorphisecAlerts_CL
| where threatMessageArrivalTime >= ago(24h)
| summarize
AlertCount = dcount(id),
DeviceCount = dcount(hostname)
by application
| where AlertCount >= 50 and DeviceCount > 1
triggerThreshold: 0
customDetails:
ProcessName: application
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Morphisec/Analytic Rules/MorphisecProcessLevelAnomaly.yaml
suppressionEnabled: false
queryPeriod: 1d
tactics:
- Execution
- DefenseEvasion
name: Process-Level Anomaly
status: Available
kind: Scheduled
description: |
'Triggers an incident when the same process name appears in 50 or more alerts across multiple devices, suggesting widespread activity.'
id: 3fa85f64-5717-4562-b3fc-2c963f66afa6
version: 1.0.0
eventGroupingSettings:
aggregationKind: SingleAlert
queryFrequency: 1d
severity: Medium
suppressionDuration: 5h