Veeam ONE Malware Detection Change Tracking

Back


Id	2a860019-0eda-4b49-bc62-8f683aed4929
Rulename	Veeam ONE Malware Detection Change Tracking
Description	Detects changes in Veeam ONE malware detection tracking.
Severity	High
Tactics	Impact
Techniques	T1486
Required data connectors	VeeamCustomTablesDataConnector
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Veeam_One_Veeam_malware_detection_change_tracking.yaml
Version	1.0.0
Arm template	2a860019-0eda-4b49-bc62-8f683aed4929.json

KQL

VeeamOneTriggeredAlarms_CL | where PredefinedAlarmId == 403

YAML

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Veeam_One_Veeam_malware_detection_change_tracking.yaml
triggerThreshold: 0
severity: High
queryFrequency: 5m
eventGroupingSettings:
  aggregationKind: AlertPerResult
customDetails:
  TriggeredAlarmId: TriggeredAlarmId
  Status: Status
  Comment: Comment
  ObjectName: ObjectName
  Description: Description
  VoneHostName: VoneHostName
  ObjectType: ObjectType
  Name: Name
  PredefinedAlarmId: PredefinedAlarmId
  TriggeredTime: TriggeredTime
  ObjectId: ObjectId
relevantTechniques:
- T1486
triggerOperator: gt
id: 2a860019-0eda-4b49-bc62-8f683aed4929
requiredDataConnectors:
- connectorId: VeeamCustomTablesDataConnector
  dataTypes:
  - VeeamOneTriggeredAlarms_CL
version: 1.0.0
name: Veeam ONE Malware Detection Change Tracking
tactics:
- Impact
description: Detects changes in Veeam ONE malware detection tracking.
query: VeeamOneTriggeredAlarms_CL | where PredefinedAlarmId == 403
status: Available
queryPeriod: 5m
kind: Scheduled

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2a860019-0eda-4b49-bc62-8f683aed4929')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2a860019-0eda-4b49-bc62-8f683aed4929')]",
      "properties": {
        "alertRuleTemplateName": "2a860019-0eda-4b49-bc62-8f683aed4929",
        "customDetails": {
          "Comment": "Comment",
          "Description": "Description",
          "Name": "Name",
          "ObjectId": "ObjectId",
          "ObjectName": "ObjectName",
          "ObjectType": "ObjectType",
          "PredefinedAlarmId": "PredefinedAlarmId",
          "Status": "Status",
          "TriggeredAlarmId": "TriggeredAlarmId",
          "TriggeredTime": "TriggeredTime",
          "VoneHostName": "VoneHostName"
        },
        "description": "Detects changes in Veeam ONE malware detection tracking.",
        "displayName": "Veeam ONE Malware Detection Change Tracking",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Veeam_One_Veeam_malware_detection_change_tracking.yaml",
        "query": "VeeamOneTriggeredAlarms_CL | where PredefinedAlarmId == 403",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1486"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}