CyberArkEPM - Possible execution of Powershell Empire

CyberArkEPM
| where EventSubType != 'AttackAttempt'
| where ActingProcessCommandLine has_any ('-NoP -sta -NonI -W Hidden -Enc', '-noP -sta -w 1 -enc', '-NoP -NonI -W Hidden -enc')
| extend AccountCustomEntity = ActorUsername

version: 1.0.0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
id: eddfd1fd-71df-4cc3-b050-287643bee398
query: |
  CyberArkEPM
  | where EventSubType != 'AttackAttempt'
  | where ActingProcessCommandLine has_any ('-NoP -sta -NonI -W Hidden -Enc', '-noP -sta -w 1 -enc', '-NoP -NonI -W Hidden -enc')
  | extend AccountCustomEntity = ActorUsername  
triggerOperator: gt
kind: Scheduled
description: |
    'Detects possible execution of Powershell Empire.'
tactics:
- Execution
name: CyberArkEPM - Possible execution of Powershell Empire
requiredDataConnectors:
- connectorId: CyberArkEPM
  dataTypes:
  - CyberArkEPM
queryPeriod: 10m
queryFrequency: 10m
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMPossibleExecutionOfPowershellEmpire.yaml
triggerThreshold: 0
relevantTechniques:
- T1204