Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Alarming number of anomalies generated in NetBackup

Back
Id2e0efcd4-56d2-41df-9098-d6898a58c62b
RulenameAlarming number of anomalies generated in NetBackup
DescriptionThis rule generates an incident when an alarming number of anomalies are generated in the last 15 minutes.
SeverityMedium
TacticsDiscovery
CredentialAccess
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veritas NetBackup/Analytic Rules/NetBackup_many_Anomalies.yaml
Version1.0.1
Arm template2e0efcd4-56d2-41df-9098-d6898a58c62b.json
Deploy To Azure
NetBackupAlerts_CL
| where Category contains "ANOMALY_NEW"
| extend client =  split(Message, "client '")[1]
| extend clientName = split(client, "'")[0]
| summarize Total=count() by tostring(clientName)
| where Total >= 10
status: Available
id: 2e0efcd4-56d2-41df-9098-d6898a58c62b
query: |-
  NetBackupAlerts_CL
  | where Category contains "ANOMALY_NEW"
  | extend client =  split(Message, "client '")[1]
  | extend clientName = split(client, "'")[0]
  | summarize Total=count() by tostring(clientName)
  | where Total >= 10  
suppressionDuration: PT5H
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veritas NetBackup/Analytic Rules/NetBackup_many_Anomalies.yaml
description: This rule generates an incident when an alarming number of anomalies are generated in the last 15 minutes.
name: Alarming number of anomalies generated in NetBackup
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: AllEntities
    reopenClosedIncident: false
    lookbackDuration: PT5H
    enabled: false
  createIncident: true
suppressionEnabled: false
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: clientName
triggerThreshold: 0
severity: Medium
requiredDataConnectors: []
eventGroupingSettings:
  aggregationKind: SingleAlert
techniques:
- T1110
- T1212
queryFrequency: 15m
queryPeriod: 15m
version: 1.0.1
kind: Scheduled
tactics:
- Discovery
- CredentialAccess
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2e0efcd4-56d2-41df-9098-d6898a58c62b')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2e0efcd4-56d2-41df-9098-d6898a58c62b')]",
      "properties": {
        "alertRuleTemplateName": "2e0efcd4-56d2-41df-9098-d6898a58c62b",
        "customDetails": null,
        "description": "This rule generates an incident when an alarming number of anomalies are generated in the last 15 minutes.",
        "displayName": "Alarming number of anomalies generated in NetBackup",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "clientName",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veritas NetBackup/Analytic Rules/NetBackup_many_Anomalies.yaml",
        "query": "NetBackupAlerts_CL\n| where Category contains \"ANOMALY_NEW\"\n| extend client =  split(Message, \"client '\")[1]\n| extend clientName = split(client, \"'\")[0]\n| summarize Total=count() by tostring(clientName)\n| where Total >= 10",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "Discovery"
        ],
        "techniques": [
          "T1110",
          "T1212"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}