PaloAlto - Put and post method request in high risk file type

let HighRiskFileType = dynamic(['.exe', '.msi', '.msp', '.jar', '.bat', '.cmd', '.js', '.jse', 'ws', '.ps1', '.ps2', '.msh']);
PaloAltoCDLEvent
| where EventResourceId =~ 'THREAT'
| where EventResult =~ 'file'
| where HttpRequestMethod has_any ("POST", "PUT")
| where FileType in (HighRiskFileType)
| extend FileCustomEntity = SrcFileName

status: Available
queryFrequency: 10m
queryPeriod: 10m
triggerOperator: gt
query: |
  let HighRiskFileType = dynamic(['.exe', '.msi', '.msp', '.jar', '.bat', '.cmd', '.js', '.jse', 'ws', '.ps1', '.ps2', '.msh']);
  PaloAltoCDLEvent
  | where EventResourceId =~ 'THREAT'
  | where EventResult =~ 'file'
  | where HttpRequestMethod has_any ("POST", "PUT")
  | where FileType in (HighRiskFileType)
  | extend FileCustomEntity = SrcFileName  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPutMethodInHighRiskFileType.yaml
tactics:
- InitialAccess
triggerThreshold: 0
entityMappings:
- entityType: File
  fieldMappings:
  - identifier: Name
    columnName: FileCustomEntity
requiredDataConnectors:
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
kind: Scheduled
relevantTechniques:
- T1190
- T1133
description: |
    'Detects put and post method request in high risk file type.'
name: PaloAlto - Put and post method request in high risk file type
version: 1.0.4
id: f12e9d10-51ca-11ec-bf63-0242ac130002
severity: High