Process-Level Anomaly
| Id | 3fa85f64-5717-4562-b3fc-2c963f66afa6 |
| Rulename | Process-Level Anomaly |
| Description | Triggers an incident when the same process name appears in 50 or more alerts across multiple devices, suggesting widespread activity. |
| Severity | Medium |
| Tactics | Execution DefenseEvasion |
| Techniques | T1059 T1204 |
| Required data connectors | MorphisecCCF |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Morphisec/Analytic Rules/MorphisecProcessLevelAnomaly.yaml |
| Version | 1.0.0 |
| Arm template | 3fa85f64-5717-4562-b3fc-2c963f66afa6.json |
MorphisecAlerts_CL
| where threatMessageArrivalTime >= ago(24h)
| summarize
AlertCount = dcount(id),
DeviceCount = dcount(hostname)
by application
| where AlertCount >= 50 and DeviceCount > 1
eventGroupingSettings:
aggregationKind: SingleAlert
suppressionEnabled: false
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Morphisec/Analytic Rules/MorphisecProcessLevelAnomaly.yaml
triggerThreshold: 0
status: Available
relevantTechniques:
- T1059
- T1204
queryPeriod: 1d
name: Process-Level Anomaly
customDetails:
ProcessName: application
suppressionDuration: 5h
queryFrequency: 1d
triggerOperator: gt
incidentConfiguration:
createIncident: true
groupingConfiguration:
matchingMethod: AllEntities
lookbackDuration: 5h
enabled: false
reopenClosedIncident: false
requiredDataConnectors:
- connectorId: MorphisecCCF
dataTypes:
- Morphisec
description: |
'Triggers an incident when the same process name appears in 50 or more alerts across multiple devices, suggesting widespread activity.'
tactics:
- Execution
- DefenseEvasion
severity: Medium
version: 1.0.0
query: |
MorphisecAlerts_CL
| where threatMessageArrivalTime >= ago(24h)
| summarize
AlertCount = dcount(id),
DeviceCount = dcount(hostname)
by application
| where AlertCount >= 50 and DeviceCount > 1
id: 3fa85f64-5717-4562-b3fc-2c963f66afa6