let f_types = dynamic(['ps1', 'bat', 'scr', 'sh', 'exe', 'js', 'lnk']);
TrendMicroCAS
| where EventCategoryType in~ ('sharepoint', 'onedrive', 'dropbox', 'box', 'googledrive')
| where isnotempty(SrcFileName)
| extend file_type = extract(@'\.(\w+)$', 1, SrcFileName)
| where file_type in~ (f_types) or SrcFileName !contains @'.'
| extend AccountCustomEntity = DstUserName
name: Trend Micro CAS - Unexpected file on file share
relevantTechniques:
- T1566
id: de54f817-f338-46bf-989b-4e016ea6b71b
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASUnexpectedFileOnFileShare.yaml
requiredDataConnectors:
- dataTypes:
- TrendMicroCAS
connectorId: TrendMicroCAS
version: 1.0.0
severity: Medium
triggerThreshold: 0
queryPeriod: 1h
entityMappings:
- fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
entityType: Account
queryFrequency: 1h
status: Available
query: |
let f_types = dynamic(['ps1', 'bat', 'scr', 'sh', 'exe', 'js', 'lnk']);
TrendMicroCAS
| where EventCategoryType in~ ('sharepoint', 'onedrive', 'dropbox', 'box', 'googledrive')
| where isnotempty(SrcFileName)
| extend file_type = extract(@'\.(\w+)$', 1, SrcFileName)
| where file_type in~ (f_types) or SrcFileName !contains @'.'
| extend AccountCustomEntity = DstUserName
tactics:
- InitialAccess
kind: Scheduled
description: |
'Detects unexpected files on file share.'
triggerOperator: gt
