Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

General Settings Updated

Back
Id14003a45-da0b-47dc-8e20-9711ba7b5112
RulenameGeneral Settings Updated
DescriptionDetects when Veeam Backup & Replication general settings are updated. This might indicate configuration changes that require review.
SeverityInformational
TacticsDefenseEvasion
TechniquesT1562.001
Required data connectorsSyslog
SyslogAma
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/General_Settings_Updated.yaml
Version1.0.0
Arm template14003a45-da0b-47dc-8e20-9711ba7b5112.json
Deploy To Azure
Veeam_GetSecurityEvents
| where instanceId == 31000
| project
    Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),
    DataSource = original_host,
    EventId = instanceId,
    UserName = user,
  MessageDetails = Description,
    Severity = SeverityDescription
tactics:
- DefenseEvasion
name: General Settings Updated
id: 14003a45-da0b-47dc-8e20-9711ba7b5112
requiredDataConnectors:
- connectorId: Syslog
  dataTypes:
  - Syslog
- connectorId: SyslogAma
  dataTypes:
  - Syslog
query: |-
  Veeam_GetSecurityEvents
  | where instanceId == 31000
  | project
      Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),
      DataSource = original_host,
      EventId = instanceId,
      UserName = user,
    MessageDetails = Description,
      Severity = SeverityDescription  
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1562.001
description: Detects when Veeam Backup & Replication general settings are updated. This might indicate configuration changes that require review.
triggerOperator: gt
queryPeriod: 1d
severity: Informational
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/General_Settings_Updated.yaml
version: 1.0.0
triggerThreshold: 0
kind: Scheduled
queryFrequency: 1d
status: Available
customDetails:
  VbrHostName: DataSource
  EventId: EventId
  Severity: Severity
  Date: Date
  MessageDetails: MessageDetails
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/14003a45-da0b-47dc-8e20-9711ba7b5112')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/14003a45-da0b-47dc-8e20-9711ba7b5112')]",
      "properties": {
        "alertRuleTemplateName": "14003a45-da0b-47dc-8e20-9711ba7b5112",
        "customDetails": {
          "Date": "Date",
          "EventId": "EventId",
          "MessageDetails": "MessageDetails",
          "Severity": "Severity",
          "VbrHostName": "DataSource"
        },
        "description": "Detects when Veeam Backup & Replication general settings are updated. This might indicate configuration changes that require review.",
        "displayName": "General Settings Updated",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/General_Settings_Updated.yaml",
        "query": "Veeam_GetSecurityEvents\n| where instanceId == 31000\n| project\n    Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),\n    DataSource = original_host,\n    EventId = instanceId,\n    UserName = user,\n  MessageDetails = Description,\n    Severity = SeverityDescription",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Informational",
        "status": "Available",
        "subTechniques": [
          "T1562.001"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}