let f_types = dynamic(['ps1', 'bat', 'scr', 'sh', 'exe', 'js', 'lnk']);
TrendMicroCAS
| where EventCategoryType in~ ('sharepoint', 'onedrive', 'dropbox', 'box', 'googledrive')
| where isnotempty(SrcFileName)
| extend file_type = extract(@'\.(\w+)$', 1, SrcFileName)
| where file_type in~ (f_types) or SrcFileName !contains @'.'
| extend AccountCustomEntity = DstUserName
triggerOperator: gt
entityMappings:
- entityType: Account
fieldMappings:
- columnName: AccountCustomEntity
identifier: Name
triggerThreshold: 0
severity: Medium
query: |
let f_types = dynamic(['ps1', 'bat', 'scr', 'sh', 'exe', 'js', 'lnk']);
TrendMicroCAS
| where EventCategoryType in~ ('sharepoint', 'onedrive', 'dropbox', 'box', 'googledrive')
| where isnotempty(SrcFileName)
| extend file_type = extract(@'\.(\w+)$', 1, SrcFileName)
| where file_type in~ (f_types) or SrcFileName !contains @'.'
| extend AccountCustomEntity = DstUserName
tactics:
- InitialAccess
queryPeriod: 1h
version: 1.0.0
queryFrequency: 1h
description: |
'Detects unexpected files on file share.'
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASUnexpectedFileOnFileShare.yaml
name: Trend Micro CAS - Unexpected file on file share
id: de54f817-f338-46bf-989b-4e016ea6b71b
relevantTechniques:
- T1566
kind: Scheduled
requiredDataConnectors:
- dataTypes:
- TrendMicroCAS
connectorId: TrendMicroCAS
