Merge pull request #11266 from Azure/v-rusraut/issuefixed-11215

Repackaged for updated in Analytical Rule
Azure · Oct 14, 2024 · 56d6352 · 56d6352
2 parents fd82373 + bb13ddf
commit 56d6352
Show file tree

Hide file tree

Showing 4 changed files with 263 additions and 266 deletions.
diff --git a/Solutions/Malware Protection Essentials/Analytic Rules/SuspiciousProcessCreation.yaml b/Solutions/Malware Protection Essentials/Analytic Rules/SuspiciousProcessCreation.yaml
@@ -42,22 +42,19 @@ relevantTechniques:
 query: |
   _ASim_ProcessEvent
   | where EventType == 'ProcessCreated'
-  | extend CommandLineArgs = todynamic(array_slice(split(CommandLine, " "), 1, -1))
+  | extend CommandLineArgs = strcat_array(array_slice(split(CommandLine, " "), 1, -1), " ")
   | where strlen(CommandLineArgs) > 0
-  | mv-apply CommandLineArgs on 
-      (
-      where CommandLineArgs contains "base64"
-      )
+  | where CommandLineArgs contains "base64"
   | project
-      TimeGenerated,
-      DvcHostname,
-      DvcIpAddr,
-      DvcDomain,
-      TargetUsername,
-      TargetUsernameType,
-      TargetProcessName,
-      TargetProcessId,
-      CommandLine
+  TimeGenerated,
+  DvcHostname,
+  DvcIpAddr,
+  DvcDomain,
+  TargetUsername,
+  TargetUsernameType,
+  TargetProcessName,
+  TargetProcessId,
+  CommandLine
   | extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[1]), TargetUsername)
   | extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[0]), TargetUsername)
   | extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)
@@ -94,5 +91,5 @@ eventGroupingSettings:
 alertDetailsOverride:
   alertDisplayNameFormat: "Process with suspicious command line arguments was created on {{DvcHostname}} ({{DvcIpAddr}}) by ({{TargetUsername}})"
   alertDescriptionFormat: "Process '{{TargetProcessName}}' ProcessId: '{{TargetProcessId}}' with commandline {{CommandLine}} was created."
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
diff --git a/Solutions/Malware Protection Essentials/Data/Solution_MalwareProtectionEssentials.json b/Solutions/Malware Protection Essentials/Data/Solution_MalwareProtectionEssentials.json
@@ -28,7 +28,7 @@
     ],
     "WorkbooksDescription": "This workbook provides details about Suspicious Malware Activities from File, Process and Registry events generated by EDR (Endpoint Detection and Response) solutions.",
     "BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\Malware Protection Essentials\\",
-    "Version": "3.0.0",
+    "Version": "3.0.1",
     "Metadata": "SolutionMetadata.json",
     "TemplateSpec": true,
     "Is1PConnector": false

diff --git a/Solutions/Malware Protection Essentials/Package/3.0.1.zip b/Solutions/Malware Protection Essentials/Package/3.0.1.zip