Solutions/CyberArkEPM/Hunting Queries/CyberArkEPMPowershellExecutionParameters.yaml (25 lines of code) (raw):
id: f1490e77-2a5e-4f07-afd9-c2bb20e26d30
name: CyberArkEPM - Powershell scripts execution parameters
description: |
'Query shows powershell scripts execution parameters.'
severity: Low
requiredDataConnectors:
- connectorId: CyberArkEPM
dataTypes:
- CyberArkEPM
tactics:
- Execution
relevantTechniques:
- T1204
- T1059
query: |
CyberArkEPM
| where TimeGenerated > ago(24h)
| where ActingProcessFileInternalName =~ 'powershell.exe'
| summarize count() by ActorUsername, ActingProcessCommandLine
| extend AccountCustomEntity = ActorUsername
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity