Process-Level Anomaly
| Id | 3fa85f64-5717-4562-b3fc-2c963f66afa6 |
| Rulename | Process-Level Anomaly |
| Description | Triggers an incident when the same process name appears in 50 or more alerts across multiple devices, suggesting widespread activity. |
| Severity | Medium |
| Tactics | Execution DefenseEvasion |
| Techniques | T1059 T1204 |
| Required data connectors | MorphisecCCF |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Morphisec/Analytic Rules/MorphisecProcessLevelAnomaly.yaml |
| Version | 1.0.0 |
| Arm template | 3fa85f64-5717-4562-b3fc-2c963f66afa6.json |
MorphisecAlerts_CL
| where threatMessageArrivalTime >= ago(24h)
| summarize
AlertCount = dcount(id),
DeviceCount = dcount(hostname)
by application
| where AlertCount >= 50 and DeviceCount > 1
status: Available
suppressionDuration: 5h
queryFrequency: 1d
incidentConfiguration:
groupingConfiguration:
matchingMethod: AllEntities
reopenClosedIncident: false
lookbackDuration: 5h
enabled: false
createIncident: true
queryPeriod: 1d
triggerOperator: gt
query: |
MorphisecAlerts_CL
| where threatMessageArrivalTime >= ago(24h)
| summarize
AlertCount = dcount(id),
DeviceCount = dcount(hostname)
by application
| where AlertCount >= 50 and DeviceCount > 1
eventGroupingSettings:
aggregationKind: SingleAlert
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Morphisec/Analytic Rules/MorphisecProcessLevelAnomaly.yaml
tactics:
- Execution
- DefenseEvasion
triggerThreshold: 0
requiredDataConnectors:
- connectorId: MorphisecCCF
dataTypes:
- Morphisec
kind: Scheduled
relevantTechniques:
- T1059
- T1204
customDetails:
ProcessName: application
description: |
'Triggers an incident when the same process name appears in 50 or more alerts across multiple devices, suggesting widespread activity.'
severity: Medium
name: Process-Level Anomaly
version: 1.0.0
id: 3fa85f64-5717-4562-b3fc-2c963f66afa6
suppressionEnabled: false