Process-Level Anomaly
| Id | 3fa85f64-5717-4562-b3fc-2c963f66afa6 |
| Rulename | Process-Level Anomaly |
| Description | Triggers an incident when the same process name appears in 50 or more alerts across multiple devices, suggesting widespread activity. |
| Severity | Medium |
| Tactics | Execution DefenseEvasion |
| Techniques | T1059 T1204 |
| Required data connectors | MorphisecCCF |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Morphisec/Analytic Rules/MorphisecProcessLevelAnomaly.yaml |
| Version | 1.0.0 |
| Arm template | 3fa85f64-5717-4562-b3fc-2c963f66afa6.json |
MorphisecAlerts_CL
| where threatMessageArrivalTime >= ago(24h)
| summarize
AlertCount = dcount(id),
DeviceCount = dcount(hostname)
by application
| where AlertCount >= 50 and DeviceCount > 1
suppressionEnabled: false
relevantTechniques:
- T1059
- T1204
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
matchingMethod: AllEntities
enabled: false
lookbackDuration: 5h
createIncident: true
suppressionDuration: 5h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Morphisec/Analytic Rules/MorphisecProcessLevelAnomaly.yaml
description: |
'Triggers an incident when the same process name appears in 50 or more alerts across multiple devices, suggesting widespread activity.'
tactics:
- Execution
- DefenseEvasion
customDetails:
ProcessName: application
requiredDataConnectors:
- connectorId: MorphisecCCF
dataTypes:
- Morphisec
triggerOperator: gt
version: 1.0.0
eventGroupingSettings:
aggregationKind: SingleAlert
id: 3fa85f64-5717-4562-b3fc-2c963f66afa6
queryFrequency: 1d
query: |
MorphisecAlerts_CL
| where threatMessageArrivalTime >= ago(24h)
| summarize
AlertCount = dcount(id),
DeviceCount = dcount(hostname)
by application
| where AlertCount >= 50 and DeviceCount > 1
severity: Medium
status: Available
queryPeriod: 1d
name: Process-Level Anomaly
triggerThreshold: 0
kind: Scheduled