Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Threats detected by Eset

Back
Id2d8a60aa-c15e-442e-9ce3-ee924889d2a6
RulenameThreats detected by Eset
DescriptionEscalates threats detected by Eset.
SeverityLow
TacticsExecution
CredentialAccess
PrivilegeEscalation
TechniquesT1204
T1212
T1548
Required data connectorsEsetSMC
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Eset Security Management Center/Analytic Rules/eset-threats.yaml
Version1.0.1
Arm template2d8a60aa-c15e-442e-9ce3-ee924889d2a6.json
Deploy To Azure
eset_CL
| where event_type_s == "Threat_Event"
| extend HostCustomEntity = hostname_s, AccountCustomEntity = username_s, IPCustomEntity = ipv4_s
queryPeriod: 5m
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
  entityType: Account
- fieldMappings:
  - identifier: FullName
    columnName: HostCustomEntity
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
relevantTechniques:
- T1204
- T1212
- T1548
severity: Low
requiredDataConnectors:
- connectorId: EsetSMC
  dataTypes:
  - eset_CL
id: 2d8a60aa-c15e-442e-9ce3-ee924889d2a6
triggerOperator: gt
kind: Scheduled
query: |
  eset_CL
  | where event_type_s == "Threat_Event"
  | extend HostCustomEntity = hostname_s, AccountCustomEntity = username_s, IPCustomEntity = ipv4_s  
tactics:
- Execution
- CredentialAccess
- PrivilegeEscalation
triggerThreshold: 0
queryFrequency: 5m
status: Available
description: |
    'Escalates threats detected by Eset.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Eset Security Management Center/Analytic Rules/eset-threats.yaml
name: Threats detected by Eset
version: 1.0.1
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2d8a60aa-c15e-442e-9ce3-ee924889d2a6')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2d8a60aa-c15e-442e-9ce3-ee924889d2a6')]",
      "properties": {
        "alertRuleTemplateName": "2d8a60aa-c15e-442e-9ce3-ee924889d2a6",
        "customDetails": null,
        "description": "'Escalates threats detected by Eset.'\n",
        "displayName": "Threats detected by Eset",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Eset Security Management Center/Analytic Rules/eset-threats.yaml",
        "query": "eset_CL\n| where event_type_s == \"Threat_Event\"\n| extend HostCustomEntity = hostname_s, AccountCustomEntity = username_s, IPCustomEntity = ipv4_s\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "Execution",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1204",
          "T1212",
          "T1548"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}