ApexOne - Possible exploit or execute operation

TMApexOneEvent
| where EventMessage has "Behavior Monitoring"
| extend DeviceCustomNumber3 = coalesce(column_ifexists("FieldDeviceCustomNumber3", long(null)),DeviceCustomNumber3)
| where Event_Type == 2048 or DeviceCustomNumber3 == 403 or DeviceCustomNumber3 == 601
| extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = DstUserName

queryFrequency: 1h
tactics:
- PrivilegeEscalation
- Persistence
name: ApexOne - Possible exploit or execute operation
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOnePossibleExploitOrExecuteOperation.yaml
triggerThreshold: 0
description: |
    'Detects possible exploit or execute operation.'
status: Available
kind: Scheduled
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
id: e289d762-6cc2-11ec-90d6-0242ac120003
queryPeriod: 1h
version: 1.0.5
severity: High
relevantTechniques:
- T1546
requiredDataConnectors:
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
triggerOperator: gt
query: |
  TMApexOneEvent
  | where EventMessage has "Behavior Monitoring"
  | extend DeviceCustomNumber3 = coalesce(column_ifexists("FieldDeviceCustomNumber3", long(null)),DeviceCustomNumber3)
  | where Event_Type == 2048 or DeviceCustomNumber3 == 403 or DeviceCustomNumber3 == 601
  | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = DstUserName