Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CyberArkEPM - Uncommon process Internet access

Back
Id9d0d44ab-54dc-472a-9931-53521e888932
RulenameCyberArkEPM - Uncommon process Internet access
DescriptionDetects access to the Internet by uncommon processes.
SeverityHigh
TacticsExecution
DefenseEvasion
CommandAndControl
TechniquesT1204
T1036
T1095
Required data connectorsCyberArkEPM
KindScheduled
Query frequency30m
Query period30m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMRareProcInternetAccess.yaml
Version1.0.0
Arm template9d0d44ab-54dc-472a-9931-53521e888932.json
Deploy To Azure
let lb_period = 14d;
let q_time = 1h;
let inet_access_proc = CyberArkEPM
| where TimeGenerated between (ago(lb_period) .. ago(q_time))
| where EventSubType =~ 'DetectAccessInternet'
| where isnotempty(ActingProcessFileInternalName)
| summarize makeset(ActingProcessFileInternalName);
CyberArkEPM
| where TimeGenerated > ago(q_time)
| where EventSubType =~ 'DetectAccessInternet'
| where ActingProcessFileInternalName !in (inet_access_proc)
| extend AccountCustomEntity = ActorUsername
name: CyberArkEPM - Uncommon process Internet access
severity: High
queryFrequency: 30m
triggerOperator: gt
relevantTechniques:
- T1204
- T1036
- T1095
version: 1.0.0
description: |
    'Detects access to the Internet by uncommon processes.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMRareProcInternetAccess.yaml
requiredDataConnectors:
- connectorId: CyberArkEPM
  dataTypes:
  - CyberArkEPM
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
tactics:
- Execution
- DefenseEvasion
- CommandAndControl
queryPeriod: 30m
query: |
  let lb_period = 14d;
  let q_time = 1h;
  let inet_access_proc = CyberArkEPM
  | where TimeGenerated between (ago(lb_period) .. ago(q_time))
  | where EventSubType =~ 'DetectAccessInternet'
  | where isnotempty(ActingProcessFileInternalName)
  | summarize makeset(ActingProcessFileInternalName);
  CyberArkEPM
  | where TimeGenerated > ago(q_time)
  | where EventSubType =~ 'DetectAccessInternet'
  | where ActingProcessFileInternalName !in (inet_access_proc)
  | extend AccountCustomEntity = ActorUsername  
kind: Scheduled
triggerThreshold: 0
id: 9d0d44ab-54dc-472a-9931-53521e888932
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9d0d44ab-54dc-472a-9931-53521e888932')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9d0d44ab-54dc-472a-9931-53521e888932')]",
      "properties": {
        "alertRuleTemplateName": "9d0d44ab-54dc-472a-9931-53521e888932",
        "customDetails": null,
        "description": "'Detects access to the Internet by uncommon processes.'\n",
        "displayName": "CyberArkEPM - Uncommon process Internet access",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMRareProcInternetAccess.yaml",
        "query": "let lb_period = 14d;\nlet q_time = 1h;\nlet inet_access_proc = CyberArkEPM\n| where TimeGenerated between (ago(lb_period) .. ago(q_time))\n| where EventSubType =~ 'DetectAccessInternet'\n| where isnotempty(ActingProcessFileInternalName)\n| summarize makeset(ActingProcessFileInternalName);\nCyberArkEPM\n| where TimeGenerated > ago(q_time)\n| where EventSubType =~ 'DetectAccessInternet'\n| where ActingProcessFileInternalName !in (inet_access_proc)\n| extend AccountCustomEntity = ActorUsername\n",
        "queryFrequency": "PT30M",
        "queryPeriod": "PT30M",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "DefenseEvasion",
          "Execution"
        ],
        "techniques": [
          "T1036",
          "T1095",
          "T1204"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}