Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Website blocked by ESET

Back
Id7b84fc5b-9ffb-4e9b-945b-5d480e330b3f
RulenameWebsite blocked by ESET
DescriptionCreate alert on websites blocked by ESET.
SeverityLow
TacticsExfiltration
CommandAndControl
InitialAccess
TechniquesT1041
T1071
T1189
T1566
Required data connectorsESETPROTECT
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESETPROTECT/Analytic Rules/ESETWebsiteBlocked.yaml
Version1.0.0
Arm template7b84fc5b-9ffb-4e9b-945b-5d480e330b3f.json
Deploy To Azure
ESETPROTECT
| where EventType == 'FilteredWebsites_Event'
| extend AccountCustomEntity = SrcUserName, URLCustomEntity = FilePath, HostCustomEntity = DvcHostname, IPCustomEntity = DvcIpAddr
severity: Low
triggerThreshold: 0
queryFrequency: 5m
requiredDataConnectors:
- connectorId: ESETPROTECT
  dataTypes:
  - ESETPROTECT
id: 7b84fc5b-9ffb-4e9b-945b-5d480e330b3f
version: 1.0.0
name: Website blocked by ESET
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESETPROTECT/Analytic Rules/ESETWebsiteBlocked.yaml
queryPeriod: 5m
relevantTechniques:
- T1041
- T1071
- T1189
- T1566
triggerOperator: gt
tactics:
- Exfiltration
- CommandAndControl
- InitialAccess
query: |
  ESETPROTECT
  | where EventType == 'FilteredWebsites_Event'
  | extend AccountCustomEntity = SrcUserName, URLCustomEntity = FilePath, HostCustomEntity = DvcHostname, IPCustomEntity = DvcIpAddr  
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: HostCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: URLCustomEntity
description: |
    'Create alert on websites blocked by ESET.'
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7b84fc5b-9ffb-4e9b-945b-5d480e330b3f')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7b84fc5b-9ffb-4e9b-945b-5d480e330b3f')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Website blocked by ESET",
        "description": "'Create alert on websites blocked by ESET.'\n",
        "severity": "Low",
        "enabled": true,
        "query": "ESETPROTECT\n| where EventType == 'FilteredWebsites_Event'\n| extend AccountCustomEntity = SrcUserName, URLCustomEntity = FilePath, HostCustomEntity = DvcHostname, IPCustomEntity = DvcIpAddr\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration",
          "CommandAndControl",
          "InitialAccess"
        ],
        "techniques": [
          "T1041",
          "T1071",
          "T1189",
          "T1566"
        ],
        "alertRuleTemplateName": "7b84fc5b-9ffb-4e9b-945b-5d480e330b3f",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "FullName"
              }
            ],
            "entityType": "Host"
          },
          {
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ],
            "entityType": "IP"
          },
          {
            "fieldMappings": [
              {
                "columnName": "URLCustomEntity",
                "identifier": "Url"
              }
            ],
            "entityType": "URL"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESETPROTECT/Analytic Rules/ESETWebsiteBlocked.yaml",
        "templateVersion": "1.0.0"
      }
    }
  ]
}