Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Veeam ONE VM with No Backup

Back
Id0e76e420-fa55-4718-adc6-40a1a76411af
RulenameVeeam ONE VM with No Backup
DescriptionDetects Veeam ONE VMs with no backup.
SeverityHigh
TacticsImpact
TechniquesT1490
Required data connectorsVeeamCustomTablesDataConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Veeam_One_VM_with_no_backup.yaml
Version1.0.0
Arm template0e76e420-fa55-4718-adc6-40a1a76411af.json
Deploy To Azure
VeeamOneTriggeredAlarms_CL | where PredefinedAlarmId == 314
tactics:
- Impact
name: Veeam ONE VM with No Backup
id: 0e76e420-fa55-4718-adc6-40a1a76411af
requiredDataConnectors:
- connectorId: VeeamCustomTablesDataConnector
  dataTypes:
  - VeeamOneTriggeredAlarms_CL
query: VeeamOneTriggeredAlarms_CL | where PredefinedAlarmId == 314
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1490
description: Detects Veeam ONE VMs with no backup.
triggerOperator: gt
queryPeriod: 5m
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Veeam_One_VM_with_no_backup.yaml
version: 1.0.0
triggerThreshold: 0
kind: Scheduled
queryFrequency: 5m
status: Available
customDetails:
  Name: Name
  ObjectType: ObjectType
  TriggeredTime: TriggeredTime
  TriggeredAlarmId: TriggeredAlarmId
  VoneHostName: VoneHostName
  Comment: Comment
  PredefinedAlarmId: PredefinedAlarmId
  Status: Status
  Description: Description
  ObjectId: ObjectId
  ObjectName: ObjectName
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0e76e420-fa55-4718-adc6-40a1a76411af')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0e76e420-fa55-4718-adc6-40a1a76411af')]",
      "properties": {
        "alertRuleTemplateName": "0e76e420-fa55-4718-adc6-40a1a76411af",
        "customDetails": {
          "Comment": "Comment",
          "Description": "Description",
          "Name": "Name",
          "ObjectId": "ObjectId",
          "ObjectName": "ObjectName",
          "ObjectType": "ObjectType",
          "PredefinedAlarmId": "PredefinedAlarmId",
          "Status": "Status",
          "TriggeredAlarmId": "TriggeredAlarmId",
          "TriggeredTime": "TriggeredTime",
          "VoneHostName": "VoneHostName"
        },
        "description": "Detects Veeam ONE VMs with no backup.",
        "displayName": "Veeam ONE VM with No Backup",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Veeam_One_VM_with_no_backup.yaml",
        "query": "VeeamOneTriggeredAlarms_CL | where PredefinedAlarmId == 314",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1490"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}