ApexOne - Possible exploit or execute operation

TMApexOneEvent
| where EventMessage has "Behavior Monitoring"
| extend DeviceCustomNumber3 = coalesce(column_ifexists("FieldDeviceCustomNumber3", long(null)),DeviceCustomNumber3)
| where Event_Type == 2048 or DeviceCustomNumber3 == 403 or DeviceCustomNumber3 == 601
| extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = DstUserName

status: Available
relevantTechniques:
- T1546
triggerThreshold: 0
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOnePossibleExploitOrExecuteOperation.yaml
queryPeriod: 1h
query: |
  TMApexOneEvent
  | where EventMessage has "Behavior Monitoring"
  | extend DeviceCustomNumber3 = coalesce(column_ifexists("FieldDeviceCustomNumber3", long(null)),DeviceCustomNumber3)
  | where Event_Type == 2048 or DeviceCustomNumber3 == 403 or DeviceCustomNumber3 == 601
  | extend IPCustomEntity = SrcIpAddr, AccountCustomEntity = DstUserName  
id: e289d762-6cc2-11ec-90d6-0242ac120003
entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
  entityType: Account
name: ApexOne - Possible exploit or execute operation
kind: Scheduled
description: |
    'Detects possible exploit or execute operation.'
tactics:
- PrivilegeEscalation
- Persistence
version: 1.0.5
triggerOperator: gt
queryFrequency: 1h
requiredDataConnectors:
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog