PaloAlto - Put and post method request in high risk file type

let HighRiskFileType = dynamic(['.exe', '.msi', '.msp', '.jar', '.bat', '.cmd', '.js', '.jse', 'ws', '.ps1', '.ps2', '.msh']);
PaloAltoCDLEvent
| where EventResourceId =~ 'THREAT'
| where EventResult =~ 'file'
| where HttpRequestMethod has_any ("POST", "PUT")
| where FileType in (HighRiskFileType)
| extend FileCustomEntity = SrcFileName

description: |
    'Detects put and post method request in high risk file type.'
kind: Scheduled
tactics:
- InitialAccess
requiredDataConnectors:
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPutMethodInHighRiskFileType.yaml
severity: High
name: PaloAlto - Put and post method request in high risk file type
triggerThreshold: 0
queryPeriod: 10m
query: |
  let HighRiskFileType = dynamic(['.exe', '.msi', '.msp', '.jar', '.bat', '.cmd', '.js', '.jse', 'ws', '.ps1', '.ps2', '.msh']);
  PaloAltoCDLEvent
  | where EventResourceId =~ 'THREAT'
  | where EventResult =~ 'file'
  | where HttpRequestMethod has_any ("POST", "PUT")
  | where FileType in (HighRiskFileType)
  | extend FileCustomEntity = SrcFileName  
relevantTechniques:
- T1190
- T1133
id: f12e9d10-51ca-11ec-bf63-0242ac130002
queryFrequency: 10m
status: Available
triggerOperator: gt
version: 1.0.4
entityMappings:
- entityType: File
  fieldMappings:
  - columnName: FileCustomEntity
    identifier: Name