Solutions/CyberArkEPM/Hunting Queries/CyberArkEPMRareProcessesRunByUsers.yaml (25 lines of code) (raw):
id: 9cf63647-4e05-47cc-90ac-4a17cfd06a05
name: CyberArkEPM - Rare process run by users
description: |
'Query shows rare process run by users.'
severity: Low
requiredDataConnectors:
- connectorId: CyberArkEPM
dataTypes:
- CyberArkEPM
tactics:
- Execution
relevantTechniques:
- T1204
query: |
CyberArkEPM
| where TimeGenerated > ago(24h)
| where isnotempty(ActingProcessFileInternalName)
| summarize count() by ActingProcessFileInternalName, ActorUsername
| top 25 by count_ asc
| extend AccountCustomEntity = ActorUsername
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity