CyberArkEPM - Possible execution of Powershell Empire

CyberArkEPM
| where EventSubType != 'AttackAttempt'
| where ActingProcessCommandLine has_any ('-NoP -sta -NonI -W Hidden -Enc', '-noP -sta -w 1 -enc', '-NoP -NonI -W Hidden -enc')
| extend AccountCustomEntity = ActorUsername

name: CyberArkEPM - Possible execution of Powershell Empire
relevantTechniques:
- T1204
id: eddfd1fd-71df-4cc3-b050-287643bee398
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMPossibleExecutionOfPowershellEmpire.yaml
requiredDataConnectors:
- dataTypes:
  - CyberArkEPM
  connectorId: CyberArkEPM
version: 1.0.0
severity: High
triggerThreshold: 0
queryPeriod: 10m
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
queryFrequency: 10m
query: |
  CyberArkEPM
  | where EventSubType != 'AttackAttempt'
  | where ActingProcessCommandLine has_any ('-NoP -sta -NonI -W Hidden -Enc', '-noP -sta -w 1 -enc', '-NoP -NonI -W Hidden -enc')
  | extend AccountCustomEntity = ActorUsername  
tactics:
- Execution
kind: Scheduled
description: |
    'Detects possible execution of Powershell Empire.'
triggerOperator: gt