let f_types = dynamic(['ps1', 'bat', 'scr', 'sh', 'exe', 'js', 'lnk']);
TrendMicroCAS
| where EventCategoryType in~ ('sharepoint', 'onedrive', 'dropbox', 'box', 'googledrive')
| where isnotempty(SrcFileName)
| extend file_type = extract(@'\.(\w+)$', 1, SrcFileName)
| where file_type in~ (f_types) or SrcFileName !contains @'.'
| extend AccountCustomEntity = DstUserName
name: Trend Micro CAS - Unexpected file on file share
kind: Scheduled
tactics:
- InitialAccess
triggerThreshold: 0
triggerOperator: gt
version: 1.0.0
status: Available
queryFrequency: 1h
id: de54f817-f338-46bf-989b-4e016ea6b71b
requiredDataConnectors:
- connectorId: TrendMicroCAS
dataTypes:
- TrendMicroCAS
relevantTechniques:
- T1566
description: |
'Detects unexpected files on file share.'
entityMappings:
- entityType: Account
fieldMappings:
- columnName: AccountCustomEntity
identifier: Name
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASUnexpectedFileOnFileShare.yaml
queryPeriod: 1h
severity: Medium
query: |
let f_types = dynamic(['ps1', 'bat', 'scr', 'sh', 'exe', 'js', 'lnk']);
TrendMicroCAS
| where EventCategoryType in~ ('sharepoint', 'onedrive', 'dropbox', 'box', 'googledrive')
| where isnotempty(SrcFileName)
| extend file_type = extract(@'\.(\w+)$', 1, SrcFileName)
| where file_type in~ (f_types) or SrcFileName !contains @'.'
| extend AccountCustomEntity = DstUserName
