Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CyberArkEPM - Uncommon process Internet access

Back
Id9d0d44ab-54dc-472a-9931-53521e888932
RulenameCyberArkEPM - Uncommon process Internet access
DescriptionDetects access to the Internet by uncommon processes.
SeverityHigh
TacticsExecution
DefenseEvasion
CommandAndControl
TechniquesT1204
T1036
T1095
Required data connectorsCyberArkEPM
KindScheduled
Query frequency30m
Query period30m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMRareProcInternetAccess.yaml
Version1.0.0
Arm template9d0d44ab-54dc-472a-9931-53521e888932.json
Deploy To Azure
let lb_period = 14d;
let q_time = 1h;
let inet_access_proc = CyberArkEPM
| where TimeGenerated between (ago(lb_period) .. ago(q_time))
| where EventSubType =~ 'DetectAccessInternet'
| where isnotempty(ActingProcessFileInternalName)
| summarize makeset(ActingProcessFileInternalName);
CyberArkEPM
| where TimeGenerated > ago(q_time)
| where EventSubType =~ 'DetectAccessInternet'
| where ActingProcessFileInternalName !in (inet_access_proc)
| extend AccountCustomEntity = ActorUsername
queryPeriod: 30m
version: 1.0.0
triggerThreshold: 0
relevantTechniques:
- T1204
- T1036
- T1095
triggerOperator: gt
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
query: |
  let lb_period = 14d;
  let q_time = 1h;
  let inet_access_proc = CyberArkEPM
  | where TimeGenerated between (ago(lb_period) .. ago(q_time))
  | where EventSubType =~ 'DetectAccessInternet'
  | where isnotempty(ActingProcessFileInternalName)
  | summarize makeset(ActingProcessFileInternalName);
  CyberArkEPM
  | where TimeGenerated > ago(q_time)
  | where EventSubType =~ 'DetectAccessInternet'
  | where ActingProcessFileInternalName !in (inet_access_proc)
  | extend AccountCustomEntity = ActorUsername  
name: CyberArkEPM - Uncommon process Internet access
queryFrequency: 30m
requiredDataConnectors:
- connectorId: CyberArkEPM
  dataTypes:
  - CyberArkEPM
description: |
    'Detects access to the Internet by uncommon processes.'
kind: Scheduled
id: 9d0d44ab-54dc-472a-9931-53521e888932
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMRareProcInternetAccess.yaml
tactics:
- Execution
- DefenseEvasion
- CommandAndControl
severity: High
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9d0d44ab-54dc-472a-9931-53521e888932')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9d0d44ab-54dc-472a-9931-53521e888932')]",
      "properties": {
        "alertRuleTemplateName": "9d0d44ab-54dc-472a-9931-53521e888932",
        "customDetails": null,
        "description": "'Detects access to the Internet by uncommon processes.'\n",
        "displayName": "CyberArkEPM - Uncommon process Internet access",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMRareProcInternetAccess.yaml",
        "query": "let lb_period = 14d;\nlet q_time = 1h;\nlet inet_access_proc = CyberArkEPM\n| where TimeGenerated between (ago(lb_period) .. ago(q_time))\n| where EventSubType =~ 'DetectAccessInternet'\n| where isnotempty(ActingProcessFileInternalName)\n| summarize makeset(ActingProcessFileInternalName);\nCyberArkEPM\n| where TimeGenerated > ago(q_time)\n| where EventSubType =~ 'DetectAccessInternet'\n| where ActingProcessFileInternalName !in (inet_access_proc)\n| extend AccountCustomEntity = ActorUsername\n",
        "queryFrequency": "PT30M",
        "queryPeriod": "PT30M",
        "severity": "High",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "DefenseEvasion",
          "Execution"
        ],
        "techniques": [
          "T1036",
          "T1095",
          "T1204"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}