Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CyberArkEPM - Uncommon process Internet access

Back
Id9d0d44ab-54dc-472a-9931-53521e888932
RulenameCyberArkEPM - Uncommon process Internet access
DescriptionDetects access to the Internet by uncommon processes.
SeverityHigh
TacticsExecution
DefenseEvasion
CommandAndControl
TechniquesT1204
T1036
T1095
Required data connectorsCyberArkEPM
KindScheduled
Query frequency30m
Query period30m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMRareProcInternetAccess.yaml
Version1.0.0
Arm template9d0d44ab-54dc-472a-9931-53521e888932.json
Deploy To Azure
let lb_period = 14d;
let q_time = 1h;
let inet_access_proc = CyberArkEPM
| where TimeGenerated between (ago(lb_period) .. ago(q_time))
| where EventSubType =~ 'DetectAccessInternet'
| where isnotempty(ActingProcessFileInternalName)
| summarize makeset(ActingProcessFileInternalName);
CyberArkEPM
| where TimeGenerated > ago(q_time)
| where EventSubType =~ 'DetectAccessInternet'
| where ActingProcessFileInternalName !in (inet_access_proc)
| extend AccountCustomEntity = ActorUsername
queryFrequency: 30m
triggerThreshold: 0
name: CyberArkEPM - Uncommon process Internet access
version: 1.0.0
id: 9d0d44ab-54dc-472a-9931-53521e888932
tactics:
- Execution
- DefenseEvasion
- CommandAndControl
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
queryPeriod: 30m
description: |
    'Detects access to the Internet by uncommon processes.'
requiredDataConnectors:
- connectorId: CyberArkEPM
  dataTypes:
  - CyberArkEPM
query: |
  let lb_period = 14d;
  let q_time = 1h;
  let inet_access_proc = CyberArkEPM
  | where TimeGenerated between (ago(lb_period) .. ago(q_time))
  | where EventSubType =~ 'DetectAccessInternet'
  | where isnotempty(ActingProcessFileInternalName)
  | summarize makeset(ActingProcessFileInternalName);
  CyberArkEPM
  | where TimeGenerated > ago(q_time)
  | where EventSubType =~ 'DetectAccessInternet'
  | where ActingProcessFileInternalName !in (inet_access_proc)
  | extend AccountCustomEntity = ActorUsername  
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMRareProcInternetAccess.yaml
triggerOperator: gt
relevantTechniques:
- T1204
- T1036
- T1095
severity: High
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9d0d44ab-54dc-472a-9931-53521e888932')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9d0d44ab-54dc-472a-9931-53521e888932')]",
      "properties": {
        "alertRuleTemplateName": "9d0d44ab-54dc-472a-9931-53521e888932",
        "customDetails": null,
        "description": "'Detects access to the Internet by uncommon processes.'\n",
        "displayName": "CyberArkEPM - Uncommon process Internet access",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMRareProcInternetAccess.yaml",
        "query": "let lb_period = 14d;\nlet q_time = 1h;\nlet inet_access_proc = CyberArkEPM\n| where TimeGenerated between (ago(lb_period) .. ago(q_time))\n| where EventSubType =~ 'DetectAccessInternet'\n| where isnotempty(ActingProcessFileInternalName)\n| summarize makeset(ActingProcessFileInternalName);\nCyberArkEPM\n| where TimeGenerated > ago(q_time)\n| where EventSubType =~ 'DetectAccessInternet'\n| where ActingProcessFileInternalName !in (inet_access_proc)\n| extend AccountCustomEntity = ActorUsername\n",
        "queryFrequency": "PT30M",
        "queryPeriod": "PT30M",
        "severity": "High",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "DefenseEvasion",
          "Execution"
        ],
        "techniques": [
          "T1036",
          "T1095",
          "T1204"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}