Threats detected by ESET

Back


Id	64badfab-1dd8-4491-927b-3ca206fa9a17
Rulename	Threats detected by ESET
Description	Escalates threats detected by ESET.
Severity	Low
Tactics	Execution
Techniques	T1204
Required data connectors	ESETPROTECT SyslogAma
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESETPROTECT/Analytic Rules/ESETThreatDetected.yaml
Version	1.0.3
Arm template	64badfab-1dd8-4491-927b-3ca206fa9a17.json

KQL

ESETPROTECT
| where EventType == "Threat_Event"
| extend DvcHostname, SrcUserName, DvcIpAddr, FileHashSha1, FileHashAlgo = "SHA1"

YAML

queryPeriod: 5m
query: |
  ESETPROTECT
  | where EventType == "Threat_Event"
  | extend DvcHostname, SrcUserName, DvcIpAddr, FileHashSha1, FileHashAlgo = "SHA1"  
name: Threats detected by ESET
entityMappings:
- fieldMappings:
  - columnName: SrcUserName
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: DvcHostname
    identifier: FullName
  entityType: Host
- fieldMappings:
  - columnName: DvcIpAddr
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: FileHashAlgo
    identifier: Algorithm
  - columnName: FileHashSha1
    identifier: Value
  entityType: FileHash
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESETPROTECT/Analytic Rules/ESETThreatDetected.yaml
requiredDataConnectors:
- connectorId: ESETPROTECT
  dataTypes:
  - ESETPROTECT
- connectorId: SyslogAma
  datatypes:
  - Syslog
description: |
    'Escalates threats detected by ESET.'
kind: Scheduled
version: 1.0.3
queryFrequency: 5m
severity: Low
relevantTechniques:
- T1204
triggerOperator: gt
triggerThreshold: 0
tactics:
- Execution
id: 64badfab-1dd8-4491-927b-3ca206fa9a17

ARM