Threats detected by ESET

Back


Id	64badfab-1dd8-4491-927b-3ca206fa9a17
Rulename	Threats detected by ESET
Description	Escalates threats detected by ESET.
Severity	Low
Tactics	Execution
Techniques	T1204
Required data connectors	ESETPROTECT SyslogAma
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESETPROTECT/Analytic Rules/ESETThreatDetected.yaml
Version	1.0.3
Arm template	64badfab-1dd8-4491-927b-3ca206fa9a17.json

KQL

ESETPROTECT
| where EventType == "Threat_Event"
| extend DvcHostname, SrcUserName, DvcIpAddr, FileHashSha1, FileHashAlgo = "SHA1"

YAML

kind: Scheduled
triggerThreshold: 0
id: 64badfab-1dd8-4491-927b-3ca206fa9a17
tactics:
- Execution
description: |
    'Escalates threats detected by ESET.'
requiredDataConnectors:
- dataTypes:
  - ESETPROTECT
  connectorId: ESETPROTECT
- datatypes:
  - Syslog
  connectorId: SyslogAma
queryPeriod: 5m
version: 1.0.3
severity: Low
entityMappings:
- fieldMappings:
  - columnName: SrcUserName
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: DvcHostname
    identifier: FullName
  entityType: Host
- fieldMappings:
  - columnName: DvcIpAddr
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: FileHashAlgo
    identifier: Algorithm
  - columnName: FileHashSha1
    identifier: Value
  entityType: FileHash
queryFrequency: 5m
relevantTechniques:
- T1204
name: Threats detected by ESET
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESETPROTECT/Analytic Rules/ESETThreatDetected.yaml
triggerOperator: gt
query: |
  ESETPROTECT
  | where EventType == "Threat_Event"
  | extend DvcHostname, SrcUserName, DvcIpAddr, FileHashSha1, FileHashAlgo = "SHA1"

ARM