Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Threats detected by Eset

Back
Id2d8a60aa-c15e-442e-9ce3-ee924889d2a6
RulenameThreats detected by Eset
DescriptionEscalates threats detected by Eset.
SeverityLow
TacticsExecution
CredentialAccess
PrivilegeEscalation
TechniquesT1204
T1212
T1548
Required data connectorsEsetSMC
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Eset Security Management Center/Analytic Rules/eset-threats.yaml
Version1.0.1
Arm template2d8a60aa-c15e-442e-9ce3-ee924889d2a6.json
Deploy To Azure
eset_CL
| where event_type_s == "Threat_Event"
| extend HostCustomEntity = hostname_s, AccountCustomEntity = username_s, IPCustomEntity = ipv4_s
tactics:
- Execution
- CredentialAccess
- PrivilegeEscalation
name: Threats detected by Eset
id: 2d8a60aa-c15e-442e-9ce3-ee924889d2a6
requiredDataConnectors:
- connectorId: EsetSMC
  dataTypes:
  - eset_CL
query: |
  eset_CL
  | where event_type_s == "Threat_Event"
  | extend HostCustomEntity = hostname_s, AccountCustomEntity = username_s, IPCustomEntity = ipv4_s  
relevantTechniques:
- T1204
- T1212
- T1548
description: |
    'Escalates threats detected by Eset.'
triggerOperator: gt
queryPeriod: 5m
severity: Low
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
  entityType: Account
- fieldMappings:
  - identifier: FullName
    columnName: HostCustomEntity
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
version: 1.0.1
triggerThreshold: 0
kind: Scheduled
queryFrequency: 5m
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Eset Security Management Center/Analytic Rules/eset-threats.yaml
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2d8a60aa-c15e-442e-9ce3-ee924889d2a6')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2d8a60aa-c15e-442e-9ce3-ee924889d2a6')]",
      "properties": {
        "alertRuleTemplateName": "2d8a60aa-c15e-442e-9ce3-ee924889d2a6",
        "customDetails": null,
        "description": "'Escalates threats detected by Eset.'\n",
        "displayName": "Threats detected by Eset",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Eset Security Management Center/Analytic Rules/eset-threats.yaml",
        "query": "eset_CL\n| where event_type_s == \"Threat_Event\"\n| extend HostCustomEntity = hostname_s, AccountCustomEntity = username_s, IPCustomEntity = ipv4_s\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "Execution",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1204",
          "T1212",
          "T1548"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}