id: cff4d318-eaec-43c9-8c3e-84f74c789b98 name: CyberArkEPM - Processes with Internet access attempts description: | 'Query shows processes which attempted to access Internet.' severity: Medium requiredDataConnectors: - connectorId: CyberArkEPM dataTypes: - CyberArkEPM tactics: - CommandAndControl relevantTechniques: - T1095 query: | CyberArkEPM | where TimeGenerated > ago(24h) | where EventSubType in~ ('DetectAccessInternet', 'Internet') | summarize count() by ActingProcessFileInternalName, ActorUsername | extend AccountCustomEntity = ActorUsername entityMappings: - entityType: Account fieldMappings: - identifier: Name columnName: AccountCustomEntity