Web sites blocked by Eset
| Id | 84ad2f8a-b64c-49bc-b669-bdb4fd3071e9 |
| Rulename | Web sites blocked by Eset |
| Description | Create alert on web sites blocked by Eset. |
| Severity | Low |
| Tactics | Exfiltration CommandAndControl InitialAccess |
| Techniques | T1189 T1567 T1071.001 |
| Required data connectors | EsetSMC |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Eset Security Management Center/Analytic Rules/eset-sites-blocked.yaml |
| Version | 1.0.1 |
| Arm template | 84ad2f8a-b64c-49bc-b669-bdb4fd3071e9.json |
eset_CL
| where event_type_s == 'FilteredWebsites_Event'
| extend AccountCustomEntity = username_s, URLCustomEntity = object_uri_s, HostCustomEntity = hostname_s, IPCustomEntity = ipv4_s
query: |
eset_CL
| where event_type_s == 'FilteredWebsites_Event'
| extend AccountCustomEntity = username_s, URLCustomEntity = object_uri_s, HostCustomEntity = hostname_s, IPCustomEntity = ipv4_s
version: 1.0.1
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Eset Security Management Center/Analytic Rules/eset-sites-blocked.yaml
status: Available
description: |
'Create alert on web sites blocked by Eset.'
queryFrequency: 5m
name: Web sites blocked by Eset
kind: Scheduled
triggerThreshold: 0
id: 84ad2f8a-b64c-49bc-b669-bdb4fd3071e9
requiredDataConnectors:
- connectorId: EsetSMC
dataTypes:
- eset_CL
severity: Low
queryPeriod: 5m
entityMappings:
- fieldMappings:
- columnName: AccountCustomEntity
identifier: FullName
entityType: Account
- fieldMappings:
- columnName: HostCustomEntity
identifier: FullName
entityType: Host
- fieldMappings:
- columnName: IPCustomEntity
identifier: Address
entityType: IP
- fieldMappings:
- columnName: URLCustomEntity
identifier: Url
entityType: URL
relevantTechniques:
- T1189
- T1567
- T1071.001
tactics:
- Exfiltration
- CommandAndControl
- InitialAccess