Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Threats detected by Eset

Back
Id2d8a60aa-c15e-442e-9ce3-ee924889d2a6
RulenameThreats detected by Eset
DescriptionEscalates threats detected by Eset.
SeverityLow
TacticsExecution
CredentialAccess
PrivilegeEscalation
TechniquesT1204
T1212
T1548
Required data connectorsEsetSMC
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Eset Security Management Center/Analytic Rules/eset-threats.yaml
Version1.0.1
Arm template2d8a60aa-c15e-442e-9ce3-ee924889d2a6.json
Deploy To Azure
eset_CL
| where event_type_s == "Threat_Event"
| extend HostCustomEntity = hostname_s, AccountCustomEntity = username_s, IPCustomEntity = ipv4_s
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Eset Security Management Center/Analytic Rules/eset-threats.yaml
query: |
  eset_CL
  | where event_type_s == "Threat_Event"
  | extend HostCustomEntity = hostname_s, AccountCustomEntity = username_s, IPCustomEntity = ipv4_s  
description: |
    'Escalates threats detected by Eset.'
severity: Low
requiredDataConnectors:
- dataTypes:
  - eset_CL
  connectorId: EsetSMC
name: Threats detected by Eset
triggerThreshold: 0
tactics:
- Execution
- CredentialAccess
- PrivilegeEscalation
version: 1.0.1
relevantTechniques:
- T1204
- T1212
- T1548
triggerOperator: gt
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
- entityType: Host
  fieldMappings:
  - columnName: HostCustomEntity
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
id: 2d8a60aa-c15e-442e-9ce3-ee924889d2a6
status: Available
kind: Scheduled
queryFrequency: 5m
queryPeriod: 5m
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2d8a60aa-c15e-442e-9ce3-ee924889d2a6')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2d8a60aa-c15e-442e-9ce3-ee924889d2a6')]",
      "properties": {
        "alertRuleTemplateName": "2d8a60aa-c15e-442e-9ce3-ee924889d2a6",
        "customDetails": null,
        "description": "'Escalates threats detected by Eset.'\n",
        "displayName": "Threats detected by Eset",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Eset Security Management Center/Analytic Rules/eset-threats.yaml",
        "query": "eset_CL\n| where event_type_s == \"Threat_Event\"\n| extend HostCustomEntity = hostname_s, AccountCustomEntity = username_s, IPCustomEntity = ipv4_s\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "Execution",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1204",
          "T1212",
          "T1548"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}