Web sites blocked by Eset
| Id | 84ad2f8a-b64c-49bc-b669-bdb4fd3071e9 |
| Rulename | Web sites blocked by Eset |
| Description | Create alert on web sites blocked by Eset. |
| Severity | Low |
| Tactics | Exfiltration CommandAndControl InitialAccess |
| Techniques | T1189 T1567 T1071.001 |
| Required data connectors | EsetSMC |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Eset Security Management Center/Analytic Rules/eset-sites-blocked.yaml |
| Version | 1.0.1 |
| Arm template | 84ad2f8a-b64c-49bc-b669-bdb4fd3071e9.json |
eset_CL
| where event_type_s == 'FilteredWebsites_Event'
| extend AccountCustomEntity = username_s, URLCustomEntity = object_uri_s, HostCustomEntity = hostname_s, IPCustomEntity = ipv4_s
name: Web sites blocked by Eset
relevantTechniques:
- T1189
- T1567
- T1071.001
id: 84ad2f8a-b64c-49bc-b669-bdb4fd3071e9
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Eset Security Management Center/Analytic Rules/eset-sites-blocked.yaml
requiredDataConnectors:
- dataTypes:
- eset_CL
connectorId: EsetSMC
version: 1.0.1
severity: Low
triggerThreshold: 0
queryPeriod: 5m
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
entityType: Account
- fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
entityType: Host
- fieldMappings:
- identifier: Address
columnName: IPCustomEntity
entityType: IP
- fieldMappings:
- identifier: Url
columnName: URLCustomEntity
entityType: URL
queryFrequency: 5m
status: Available
query: |
eset_CL
| where event_type_s == 'FilteredWebsites_Event'
| extend AccountCustomEntity = username_s, URLCustomEntity = object_uri_s, HostCustomEntity = hostname_s, IPCustomEntity = ipv4_s
tactics:
- Exfiltration
- CommandAndControl
- InitialAccess
kind: Scheduled
description: |
'Create alert on web sites blocked by Eset.'
triggerOperator: gt