id: 496a35f6-bc85-47f9-a48f-9a55d3c9530f name: Trend Micro CAS - Risky users description: | 'Query searches for users with high number of threats.' severity: Medium requiredDataConnectors: - connectorId: TrendMicroCAS dataTypes: - TrendMicroCAS tactics: - InitialAccess relevantTechniques: - T1566 query: | TrendMicroCAS | where TimeGenerated > ago(24h) | where isnotempty(SecurityRiskName) | summarize threats = makeset(SecurityRiskName) by DstUserName | extend AccountCustomEntity = DstUserName entityMappings: - entityType: Account fieldMappings: - identifier: Name columnName: AccountCustomEntity