ApexOne - Possible exploit or execute operation

TMApexOneEvent
| where EventMessage has "Behavior Monitoring"
| extend DeviceCustomNumber3 = coalesce(column_ifexists("FieldDeviceCustomNumber3", long(null)),DeviceCustomNumber3)
| where Event_Type == 2048 or DeviceCustomNumber3 == 403 or DeviceCustomNumber3 == 601
| extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = DstUserName

id: e289d762-6cc2-11ec-90d6-0242ac120003
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma
name: ApexOne - Possible exploit or execute operation
version: 1.0.5
query: |
  TMApexOneEvent
  | where EventMessage has "Behavior Monitoring"
  | extend DeviceCustomNumber3 = coalesce(column_ifexists("FieldDeviceCustomNumber3", long(null)),DeviceCustomNumber3)
  | where Event_Type == 2048 or DeviceCustomNumber3 == 403 or DeviceCustomNumber3 == 601
  | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = DstUserName  
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
relevantTechniques:
- T1546
tactics:
- PrivilegeEscalation
- Persistence
triggerThreshold: 0
queryPeriod: 1h
queryFrequency: 1h
severity: High
kind: Scheduled
triggerOperator: gt
status: Available
description: |
    'Detects possible exploit or execute operation.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOnePossibleExploitOrExecuteOperation.yaml