Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

General Settings Updated

Back
Id14003a45-da0b-47dc-8e20-9711ba7b5112
RulenameGeneral Settings Updated
DescriptionDetects when Veeam Backup & Replication general settings are updated. This might indicate configuration changes that require review.
SeverityInformational
TacticsDefenseEvasion
TechniquesT1562.001
Required data connectorsSyslog
SyslogAma
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/General_Settings_Updated.yaml
Version1.0.0
Arm template14003a45-da0b-47dc-8e20-9711ba7b5112.json
Deploy To Azure
Veeam_GetSecurityEvents
| where instanceId == 31000
| project
    Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),
    DataSource = original_host,
    EventId = instanceId,
    UserName = user,
  MessageDetails = Description,
    Severity = SeverityDescription
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/General_Settings_Updated.yaml
triggerThreshold: 0
severity: Informational
queryFrequency: 1d
eventGroupingSettings:
  aggregationKind: AlertPerResult
customDetails:
  EventId: EventId
  Date: Date
  Severity: Severity
  MessageDetails: MessageDetails
  VbrHostName: DataSource
relevantTechniques:
- T1562.001
triggerOperator: gt
id: 14003a45-da0b-47dc-8e20-9711ba7b5112
requiredDataConnectors:
- connectorId: Syslog
  dataTypes:
  - Syslog
- connectorId: SyslogAma
  dataTypes:
  - Syslog
version: 1.0.0
name: General Settings Updated
tactics:
- DefenseEvasion
description: Detects when Veeam Backup & Replication general settings are updated. This might indicate configuration changes that require review.
query: |-
  Veeam_GetSecurityEvents
  | where instanceId == 31000
  | project
      Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),
      DataSource = original_host,
      EventId = instanceId,
      UserName = user,
    MessageDetails = Description,
      Severity = SeverityDescription  
status: Available
queryPeriod: 1d
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/14003a45-da0b-47dc-8e20-9711ba7b5112')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/14003a45-da0b-47dc-8e20-9711ba7b5112')]",
      "properties": {
        "alertRuleTemplateName": "14003a45-da0b-47dc-8e20-9711ba7b5112",
        "customDetails": {
          "Date": "Date",
          "EventId": "EventId",
          "MessageDetails": "MessageDetails",
          "Severity": "Severity",
          "VbrHostName": "DataSource"
        },
        "description": "Detects when Veeam Backup & Replication general settings are updated. This might indicate configuration changes that require review.",
        "displayName": "General Settings Updated",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/General_Settings_Updated.yaml",
        "query": "Veeam_GetSecurityEvents\n| where instanceId == 31000\n| project\n    Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),\n    DataSource = original_host,\n    EventId = instanceId,\n    UserName = user,\n  MessageDetails = Description,\n    Severity = SeverityDescription",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Informational",
        "status": "Available",
        "subTechniques": [
          "T1562.001"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}