Process-Level Anomaly

MorphisecAlerts_CL
| where threatMessageArrivalTime >= ago(24h)
| summarize 
    AlertCount = dcount(id),
    DeviceCount = dcount(hostname)
    by application
| where AlertCount >= 50 and DeviceCount > 1

eventGroupingSettings:
  aggregationKind: SingleAlert
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - Morphisec
  connectorId: MorphisecCCF
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Morphisec/Analytic Rules/MorphisecProcessLevelAnomaly.yaml
queryFrequency: 1d
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: 5h
name: Process-Level Anomaly
relevantTechniques:
- T1059
- T1204
status: Available
version: 1.0.0
queryPeriod: 1d
customDetails:
  ProcessName: application
kind: Scheduled
id: 3fa85f64-5717-4562-b3fc-2c963f66afa6
query: |
  MorphisecAlerts_CL
  | where threatMessageArrivalTime >= ago(24h)
  | summarize 
      AlertCount = dcount(id),
      DeviceCount = dcount(hostname)
      by application
  | where AlertCount >= 50 and DeviceCount > 1  
description: |
    'Triggers an incident when the same process name appears in 50 or more alerts across multiple devices, suggesting widespread activity.'
suppressionEnabled: false
suppressionDuration: 5h
triggerOperator: gt
tactics:
- Execution
- DefenseEvasion
severity: Medium