ApexOne - Possible exploit or execute operation

TMApexOneEvent
| where EventMessage has "Behavior Monitoring"
| extend DeviceCustomNumber3 = coalesce(column_ifexists("FieldDeviceCustomNumber3", long(null)),DeviceCustomNumber3)
| where Event_Type == 2048 or DeviceCustomNumber3 == 403 or DeviceCustomNumber3 == 601
| extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = DstUserName

entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
  entityType: Account
status: Available
queryFrequency: 1h
tactics:
- PrivilegeEscalation
- Persistence
triggerThreshold: 0
query: |
  TMApexOneEvent
  | where EventMessage has "Behavior Monitoring"
  | extend DeviceCustomNumber3 = coalesce(column_ifexists("FieldDeviceCustomNumber3", long(null)),DeviceCustomNumber3)
  | where Event_Type == 2048 or DeviceCustomNumber3 == 403 or DeviceCustomNumber3 == 601
  | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = DstUserName  
queryPeriod: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOnePossibleExploitOrExecuteOperation.yaml
relevantTechniques:
- T1546
version: 1.0.5
kind: Scheduled
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma
triggerOperator: gt
severity: High
id: e289d762-6cc2-11ec-90d6-0242ac120003
description: |
    'Detects possible exploit or execute operation.'
name: ApexOne - Possible exploit or execute operation