Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. ApexOne - Possible exploit or execute operation

ApexOne - Possible exploit or execute operation

Back
Ide289d762-6cc2-11ec-90d6-0242ac120003
RulenameApexOne - Possible exploit or execute operation
DescriptionDetects possible exploit or execute operation.
SeverityHigh
TacticsPrivilegeEscalation
Persistence
TechniquesT1546
Required data connectorsCefAma
TrendMicroApexOne
TrendMicroApexOneAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOnePossibleExploitOrExecuteOperation.yaml
Version1.0.4
Arm templatee289d762-6cc2-11ec-90d6-0242ac120003.json
Deploy To Azure
TMApexOneEvent
| where EventMessage has "Behavior Monitoring"
| extend DeviceCustomNumber3 = coalesce(column_ifexists("FieldDeviceCustomNumber3", long(null)),DeviceCustomNumber3)
| where Event_Type == 2048 or DeviceCustomNumber3 == 403 or DeviceCustomNumber3 == 601
| extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = DstUserName

entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
tactics:
- PrivilegeEscalation
- Persistence
triggerOperator: gt
description: |
    'Detects possible exploit or execute operation.'
requiredDataConnectors:
- connectorId: TrendMicroApexOne
  dataTypes:
  - TMApexOneEvent
- connectorId: TrendMicroApexOneAma
  dataTypes:
  - TMApexOneEvent
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
relevantTechniques:
- T1546
version: 1.0.4
id: e289d762-6cc2-11ec-90d6-0242ac120003
kind: Scheduled
query: |
  TMApexOneEvent
  | where EventMessage has "Behavior Monitoring"
  | extend DeviceCustomNumber3 = coalesce(column_ifexists("FieldDeviceCustomNumber3", long(null)),DeviceCustomNumber3)
  | where Event_Type == 2048 or DeviceCustomNumber3 == 403 or DeviceCustomNumber3 == 601
  | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = DstUserName  
status: Available
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOnePossibleExploitOrExecuteOperation.yaml
queryFrequency: 1h
severity: High
name: ApexOne - Possible exploit or execute operation
queryPeriod: 1h

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e289d762-6cc2-11ec-90d6-0242ac120003')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e289d762-6cc2-11ec-90d6-0242ac120003')]",
      "properties": {
        "alertRuleTemplateName": "e289d762-6cc2-11ec-90d6-0242ac120003",
        "customDetails": null,
        "description": "'Detects possible exploit or execute operation.'\n",
        "displayName": "ApexOne - Possible exploit or execute operation",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOnePossibleExploitOrExecuteOperation.yaml",
        "query": "TMApexOneEvent\n| where EventMessage has \"Behavior Monitoring\"\n| extend DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3)\n| where Event_Type == 2048 or DeviceCustomNumber3 == 403 or DeviceCustomNumber3 == 601\n| extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = DstUserName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1546"
        ],
        "templateVersion": "1.0.4",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}