CyberArkEPM - Uncommon process Internet access

let lb_period = 14d;
let q_time = 1h;
let inet_access_proc = CyberArkEPM
| where TimeGenerated between (ago(lb_period) .. ago(q_time))
| where EventSubType =~ 'DetectAccessInternet'
| where isnotempty(ActingProcessFileInternalName)
| summarize makeset(ActingProcessFileInternalName);
CyberArkEPM
| where TimeGenerated > ago(q_time)
| where EventSubType =~ 'DetectAccessInternet'
| where ActingProcessFileInternalName !in (inet_access_proc)
| extend AccountCustomEntity = ActorUsername

queryPeriod: 30m
query: |
  let lb_period = 14d;
  let q_time = 1h;
  let inet_access_proc = CyberArkEPM
  | where TimeGenerated between (ago(lb_period) .. ago(q_time))
  | where EventSubType =~ 'DetectAccessInternet'
  | where isnotempty(ActingProcessFileInternalName)
  | summarize makeset(ActingProcessFileInternalName);
  CyberArkEPM
  | where TimeGenerated > ago(q_time)
  | where EventSubType =~ 'DetectAccessInternet'
  | where ActingProcessFileInternalName !in (inet_access_proc)
  | extend AccountCustomEntity = ActorUsername  
name: CyberArkEPM - Uncommon process Internet access
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
  entityType: Account
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMRareProcInternetAccess.yaml
requiredDataConnectors:
- connectorId: CyberArkEPM
  dataTypes:
  - CyberArkEPM
description: |
    'Detects access to the Internet by uncommon processes.'
kind: Scheduled
version: 1.0.0
queryFrequency: 30m
severity: High
relevantTechniques:
- T1204
- T1036
- T1095
triggerOperator: gt
triggerThreshold: 0
tactics:
- Execution
- DefenseEvasion
- CommandAndControl
id: 9d0d44ab-54dc-472a-9931-53521e888932