id: 8d72be65-d837-4e86-bca8-4a30e6834a22 name: CyberArkEPM - Process hash changed description: | 'Query shows processes which hash has been changed recently.' severity: Medium requiredDataConnectors: - connectorId: CyberArkEPM dataTypes: - CyberArkEPM tactics: - DefenseEvasion relevantTechniques: - T1036 query: | CyberArkEPM | where TimeGenerated > ago(24h) | where isnotempty(Hash) | summarize hashes = makeset(Hash) by ActingProcessFileInternalName | where array_length(hashes) > 1 | extend FileCustomEntity = ActingProcessFileInternalName entityMappings: - entityType: File fieldMappings: - identifier: Name columnName: FileCustomEntity