TMApexOneEvent
| where EventMessage has "Endpoint Application"
| where Command has_any ("whoami", "dpkg", "useradd", "sudo")
| extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = DstUserName
triggerThreshold: 0
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
requiredDataConnectors:
- dataTypes:
- CommonSecurityLog
connectorId: CefAma
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneCommandLineSuspiciousRequests.yaml
name: ApexOne - Suspicious commandline arguments
relevantTechniques:
- T1059
status: Available
version: 1.0.3
queryPeriod: 1h
kind: Scheduled
id: 4d7199b2-67b8-11ec-90d6-0242ac120003
query: |
TMApexOneEvent
| where EventMessage has "Endpoint Application"
| where Command has_any ("whoami", "dpkg", "useradd", "sudo")
| extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = DstUserName
description: |
'Detects suspicious commandline arguments.'
queryFrequency: 1h
severity: High
triggerOperator: gt
tactics:
- Execution
