POST https://graph.microsoft.com/beta/security/rules/detectionRules
Content-Type: application/json
{
"@odata.type": "#microsoft.graph.security.detectionRule",
"id": "office-encoded-powershell",
"displayName": "Suspicious encoded PowerShell from Office",
"description": "Detects encoded PowerShell processes launched by Office applications, a common phishing payload pattern.",
"status": "enabled",
"queryCondition": {
"queryText": "DeviceProcessEvents | where InitiatingProcessFileName in~ ('winword.exe','excel.exe','outlook.exe') | where FileName == 'powershell.exe' | where ProcessCommandLine has '-enc'"
},
"schedule": {
"frequency": "PT1H"
},
"detectionAction": {
"alertTemplate": {
"title": "Suspicious encoded PowerShell from Office",
"description": "An Office app launched an encoded PowerShell command, which may indicate phishing-driven code execution.",
"severity": "high",
"recommendedActions": "Investigate the parent Office document, isolate the device, and review the user's recent email activity.",
"entityMappings": {
"accounts": [
{
"nameColumn": "AccountName",
"ntDomainColumn": "AccountDomain",
"sidColumn": "AccountSid"
}
],
"hosts": [
{
"deviceIdColumn": "DeviceId",
"nameColumn": "DeviceName"
}
],
"files": [
{
"nameColumn": "FileName",
"sha1Column": "SHA1",
"sha256Column": "SHA256"
}
]
},
"tactics": [
{
"tactic": "Execution",
"techniques": [
{
"technique": "T1059.001"
}
]
}
]
}
}
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models.Security;
using Microsoft.Kiota.Abstractions.Serialization;
var requestBody = new DetectionRule
{
OdataType = "#microsoft.graph.security.detectionRule",
Id = "office-encoded-powershell",
DisplayName = "Suspicious encoded PowerShell from Office",
QueryCondition = new QueryCondition
{
QueryText = "DeviceProcessEvents | where InitiatingProcessFileName in~ ('winword.exe','excel.exe','outlook.exe') | where FileName == 'powershell.exe' | where ProcessCommandLine has '-enc'",
},
Schedule = new RuleSchedule
{
AdditionalData = new Dictionary<string, object>
{
{
"frequency" , "PT1H"
},
},
},
DetectionAction = new DetectionAction
{
AlertTemplate = new AlertTemplate
{
Title = "Suspicious encoded PowerShell from Office",
Description = "An Office app launched an encoded PowerShell command, which may indicate phishing-driven code execution.",
Severity = AlertSeverity.High,
RecommendedActions = "Investigate the parent Office document, isolate the device, and review the user's recent email activity.",
AdditionalData = new Dictionary<string, object>
{
{
"entityMappings" , new UntypedObject(new Dictionary<string, UntypedNode>
{
{
"accounts", new UntypedArray(new List<UntypedNode>
{
new UntypedObject(new Dictionary<string, UntypedNode>
{
{
"nameColumn", new UntypedString("AccountName")
},
{
"ntDomainColumn", new UntypedString("AccountDomain")
},
{
"sidColumn", new UntypedString("AccountSid")
},
}),
})
},
{
"hosts", new UntypedArray(new List<UntypedNode>
{
new UntypedObject(new Dictionary<string, UntypedNode>
{
{
"deviceIdColumn", new UntypedString("DeviceId")
},
{
"nameColumn", new UntypedString("DeviceName")
},
}),
})
},
{
"files", new UntypedArray(new List<UntypedNode>
{
new UntypedObject(new Dictionary<string, UntypedNode>
{
{
"nameColumn", new UntypedString("FileName")
},
{
"sha1Column", new UntypedString("SHA1")
},
{
"sha256Column", new UntypedString("SHA256")
},
}),
})
},
})
},
{
"tactics" , new List<object>
{
new UntypedObject(new Dictionary<string, UntypedNode>
{
{
"tactic", new UntypedString("Execution")
},
{
"techniques", new UntypedArray(new List<UntypedNode>
{
new UntypedObject(new Dictionary<string, UntypedNode>
{
{
"technique", new UntypedString("T1059.001")
},
}),
})
},
}),
}
},
},
},
},
AdditionalData = new Dictionary<string, object>
{
{
"description" , "Detects encoded PowerShell processes launched by Office applications, a common phishing payload pattern."
},
{
"status" , "enabled"
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Security.Rules.DetectionRules.PostAsync(requestBody);
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
com.microsoft.graph.beta.models.security.DetectionRule detectionRule = new com.microsoft.graph.beta.models.security.DetectionRule();
detectionRule.setOdataType("#microsoft.graph.security.detectionRule");
detectionRule.setId("office-encoded-powershell");
detectionRule.setDisplayName("Suspicious encoded PowerShell from Office");
com.microsoft.graph.beta.models.security.QueryCondition queryCondition = new com.microsoft.graph.beta.models.security.QueryCondition();
queryCondition.setQueryText("DeviceProcessEvents | where InitiatingProcessFileName in~ ('winword.exe','excel.exe','outlook.exe') | where FileName == 'powershell.exe' | where ProcessCommandLine has '-enc'");
detectionRule.setQueryCondition(queryCondition);
com.microsoft.graph.beta.models.security.RuleSchedule schedule = new com.microsoft.graph.beta.models.security.RuleSchedule();
HashMap<String, Object> additionalData = new HashMap<String, Object>();
additionalData.put("frequency", "PT1H");
schedule.setAdditionalData(additionalData);
detectionRule.setSchedule(schedule);
com.microsoft.graph.beta.models.security.DetectionAction detectionAction = new com.microsoft.graph.beta.models.security.DetectionAction();
com.microsoft.graph.beta.models.security.AlertTemplate alertTemplate = new com.microsoft.graph.beta.models.security.AlertTemplate();
alertTemplate.setTitle("Suspicious encoded PowerShell from Office");
alertTemplate.setDescription("An Office app launched an encoded PowerShell command, which may indicate phishing-driven code execution.");
alertTemplate.setSeverity(com.microsoft.graph.beta.models.security.AlertSeverity.High);
alertTemplate.setRecommendedActions("Investigate the parent Office document, isolate the device, and review the user's recent email activity.");
HashMap<String, Object> additionalData1 = new HashMap<String, Object>();
entityMappings = new ();
LinkedList<Object> accounts = new LinkedList<Object>();
property = new ();
property.setNameColumn("AccountName");
property.setNtDomainColumn("AccountDomain");
property.setSidColumn("AccountSid");
accounts.add(property);
entityMappings.setAccounts(accounts);
LinkedList<Object> hosts = new LinkedList<Object>();
property1 = new ();
property1.setDeviceIdColumn("DeviceId");
property1.setNameColumn("DeviceName");
hosts.add(property1);
entityMappings.setHosts(hosts);
LinkedList<Object> files = new LinkedList<Object>();
property2 = new ();
property2.setNameColumn("FileName");
property2.setSha1Column("SHA1");
property2.setSha256Column("SHA256");
files.add(property2);
entityMappings.setFiles(files);
additionalData1.put("entityMappings", entityMappings);
LinkedList<Object> tactics = new LinkedList<Object>();
property3 = new ();
property3.setTactic("Execution");
LinkedList<Object> techniques = new LinkedList<Object>();
property4 = new ();
property4.setTechnique("T1059.001");
techniques.add(property4);
property3.setTechniques(techniques);
tactics.add(property3);
additionalData1.put("tactics", tactics);
alertTemplate.setAdditionalData(additionalData1);
detectionAction.setAlertTemplate(alertTemplate);
detectionRule.setDetectionAction(detectionAction);
HashMap<String, Object> additionalData2 = new HashMap<String, Object>();
additionalData2.put("description", "Detects encoded PowerShell processes launched by Office applications, a common phishing payload pattern.");
additionalData2.put("status", "enabled");
detectionRule.setAdditionalData(additionalData2);
com.microsoft.graph.models.security.DetectionRule result = graphClient.security().rules().detectionRules().post(detectionRule);
const options = {
authProvider,
};
const client = Client.init(options);
const detectionRule = {
'@odata.type': '#microsoft.graph.security.detectionRule',
id: 'office-encoded-powershell',
displayName: 'Suspicious encoded PowerShell from Office',
description: 'Detects encoded PowerShell processes launched by Office applications, a common phishing payload pattern.',
status: 'enabled',
queryCondition: {
queryText: 'DeviceProcessEvents | where InitiatingProcessFileName in~ (\'winword.exe\',\'excel.exe\',\'outlook.exe\') | where FileName == \'powershell.exe\' | where ProcessCommandLine has \'-enc\''
},
schedule: {
frequency: 'PT1H'
},
detectionAction: {
alertTemplate: {
title: 'Suspicious encoded PowerShell from Office',
description: 'An Office app launched an encoded PowerShell command, which may indicate phishing-driven code execution.',
severity: 'high',
recommendedActions: 'Investigate the parent Office document, isolate the device, and review the user\'s recent email activity.',
entityMappings: {
accounts: [
{
nameColumn: 'AccountName',
ntDomainColumn: 'AccountDomain',
sidColumn: 'AccountSid'
}
],
hosts: [
{
deviceIdColumn: 'DeviceId',
nameColumn: 'DeviceName'
}
],
files: [
{
nameColumn: 'FileName',
sha1Column: 'SHA1',
sha256Column: 'SHA256'
}
]
},
tactics: [
{
tactic: 'Execution',
techniques: [
{
technique: 'T1059.001'
}
]
}
]
}
}
};
await client.api('/security/rules/detectionRules')
.version('beta')
.post(detectionRule);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\Security\DetectionRule;
use Microsoft\Graph\Beta\Generated\Models\Security\QueryCondition;
use Microsoft\Graph\Beta\Generated\Models\Security\RuleSchedule;
use Microsoft\Graph\Beta\Generated\Models\Security\DetectionAction;
use Microsoft\Graph\Beta\Generated\Models\Security\AlertTemplate;
use Microsoft\Graph\Beta\Generated\Models\Security\AlertSeverity;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new DetectionRule();
$requestBody->setOdataType('#microsoft.graph.security.detectionRule');
$requestBody->setId('office-encoded-powershell');
$requestBody->setDisplayName('Suspicious encoded PowerShell from Office');
$queryCondition = new QueryCondition();
$queryCondition->setQueryText('DeviceProcessEvents | where InitiatingProcessFileName in~ (\'winword.exe\',\'excel.exe\',\'outlook.exe\') | where FileName == \'powershell.exe\' | where ProcessCommandLine has \'-enc\'');
$requestBody->setQueryCondition($queryCondition);
$schedule = new RuleSchedule();
$additionalData = [
'frequency' => 'PT1H',
];
$schedule->setAdditionalData($additionalData);
$requestBody->setSchedule($schedule);
$detectionAction = new DetectionAction();
$detectionActionAlertTemplate = new AlertTemplate();
$detectionActionAlertTemplate->setTitle('Suspicious encoded PowerShell from Office');
$detectionActionAlertTemplate->setDescription('An Office app launched an encoded PowerShell command, which may indicate phishing-driven code execution.');
$detectionActionAlertTemplate->setSeverity(new AlertSeverity('high'));
$detectionActionAlertTemplate->setRecommendedActions('Investigate the parent Office document, isolate the device, and review the user\'s recent email activity.');
$additionalData = [
'entityMappings' => [
'accounts' => [
[
'nameColumn' => 'AccountName',
'ntDomainColumn' => 'AccountDomain',
'sidColumn' => 'AccountSid',
],
],
'hosts' => [
[
'deviceIdColumn' => 'DeviceId',
'nameColumn' => 'DeviceName',
],
],
'files' => [
[
'nameColumn' => 'FileName',
'sha1Column' => 'SHA1',
'sha256Column' => 'SHA256',
],
],
],
'tactics' => [
[
'tactic' => 'Execution',
'techniques' => [
[
'technique' => 'T1059.001',
],
],
],
],
];
$detectionActionAlertTemplate->setAdditionalData($additionalData);
$detectionAction->setAlertTemplate($detectionActionAlertTemplate);
$requestBody->setDetectionAction($detectionAction);
$additionalData = [
'description' => 'Detects encoded PowerShell processes launched by Office applications, a common phishing payload pattern.',
'status' => 'enabled',
];
$requestBody->setAdditionalData($additionalData);
$result = $graphServiceClient->security()->rules()->detectionRules()->post($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Security
$params = @{
"@odata.type" = "#microsoft.graph.security.detectionRule"
id = "office-encoded-powershell"
displayName = "Suspicious encoded PowerShell from Office"
description = "Detects encoded PowerShell processes launched by Office applications, a common phishing payload pattern."
status = "enabled"
queryCondition = @{
queryText = "DeviceProcessEvents | where InitiatingProcessFileName in~ ('winword.exe','excel.exe','outlook.exe') | where FileName == 'powershell.exe' | where ProcessCommandLine has '-enc'"
}
schedule = @{
frequency = "PT1H"
}
detectionAction = @{
alertTemplate = @{
title = "Suspicious encoded PowerShell from Office"
description = "An Office app launched an encoded PowerShell command, which may indicate phishing-driven code execution."
severity = "high"
recommendedActions = "Investigate the parent Office document, isolate the device, and review the user's recent email activity."
entityMappings = @{
accounts = @(
@{
nameColumn = "AccountName"
ntDomainColumn = "AccountDomain"
sidColumn = "AccountSid"
}
)
hosts = @(
@{
deviceIdColumn = "DeviceId"
nameColumn = "DeviceName"
}
)
files = @(
@{
nameColumn = "FileName"
sha1Column = "SHA1"
sha256Column = "SHA256"
}
)
}
tactics = @(
@{
tactic = "Execution"
techniques = @(
@{
technique = "T1059.001"
}
)
}
)
}
}
}
New-MgBetaSecurityRuleDetectionRule -BodyParameter $params
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.security.detection_rule import DetectionRule
from msgraph_beta.generated.models.security.query_condition import QueryCondition
from msgraph_beta.generated.models.security.rule_schedule import RuleSchedule
from msgraph_beta.generated.models.security.detection_action import DetectionAction
from msgraph_beta.generated.models.security.alert_template import AlertTemplate
from msgraph_beta.generated.models.alert_severity import AlertSeverity
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = DetectionRule(
odata_type = "#microsoft.graph.security.detectionRule",
id = "office-encoded-powershell",
display_name = "Suspicious encoded PowerShell from Office",
query_condition = QueryCondition(
query_text = "DeviceProcessEvents | where InitiatingProcessFileName in~ ('winword.exe','excel.exe','outlook.exe') | where FileName == 'powershell.exe' | where ProcessCommandLine has '-enc'",
),
schedule = RuleSchedule(
additional_data = {
"frequency" : "PT1H",
}
),
detection_action = DetectionAction(
alert_template = AlertTemplate(
title = "Suspicious encoded PowerShell from Office",
description = "An Office app launched an encoded PowerShell command, which may indicate phishing-driven code execution.",
severity = AlertSeverity.High,
recommended_actions = "Investigate the parent Office document, isolate the device, and review the user's recent email activity.",
additional_data = {
"entity_mappings" : {
"accounts" : [
{
"name_column" : "AccountName",
"nt_domain_column" : "AccountDomain",
"sid_column" : "AccountSid",
},
],
"hosts" : [
{
"device_id_column" : "DeviceId",
"name_column" : "DeviceName",
},
],
"files" : [
{
"name_column" : "FileName",
"sha1_column" : "SHA1",
"sha256_column" : "SHA256",
},
],
},
"tactics" : [
{
"tactic" : "Execution",
"techniques" : [
{
"technique" : "T1059.001",
},
],
},
],
}
),
),
additional_data = {
"description" : "Detects encoded PowerShell processes launched by Office applications, a common phishing payload pattern.",
"status" : "enabled",
}
)
result = await graph_client.security.rules.detection_rules.post(request_body)