Solutions/CyberArkEPM/Hunting Queries/CyberArkEPMSuspiciousActivityAttempts.yaml (23 lines of code) (raw):
id: e60cf50c-3ae0-44ac-9de1-ea13886973b8
name: CyberArkEPM - Suspicious activity attempts
description: |
'Query shows suspicious activity attempts.'
severity: Medium
requiredDataConnectors:
- connectorId: CyberArkEPM
dataTypes:
- CyberArkEPM
tactics:
- Execution
relevantTechniques:
- T1204
query: |
CyberArkEPM
| where TimeGenerated > ago(24h)
| where EventSubType =~ 'SuspiciousActivityAttempt'
| extend AccountCustomEntity = ActorUsername
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity