Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Alarming number of anomalies generated in NetBackup

Back
Id2e0efcd4-56d2-41df-9098-d6898a58c62b
RulenameAlarming number of anomalies generated in NetBackup
DescriptionThis rule generates an incident when an alarming number of anomalies are generated in the last 15 minutes.
SeverityMedium
TacticsDiscovery
CredentialAccess
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veritas NetBackup/Analytic Rules/NetBackup_many_Anomalies.yaml
Version1.0.1
Arm template2e0efcd4-56d2-41df-9098-d6898a58c62b.json
Deploy To Azure
NetBackupAlerts_CL
| where Category contains "ANOMALY_NEW"
| extend client =  split(Message, "client '")[1]
| extend clientName = split(client, "'")[0]
| summarize Total=count() by tostring(clientName)
| where Total >= 10
entityMappings:
- fieldMappings:
  - columnName: clientName
    identifier: HostName
  entityType: Host
triggerThreshold: 0
severity: Medium
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: PT5H
    enabled: false
    matchingMethod: AllEntities
    reopenClosedIncident: false
techniques:
- T1110
- T1212
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veritas NetBackup/Analytic Rules/NetBackup_many_Anomalies.yaml
triggerOperator: gt
kind: Scheduled
id: 2e0efcd4-56d2-41df-9098-d6898a58c62b
requiredDataConnectors: []
version: 1.0.1
name: Alarming number of anomalies generated in NetBackup
suppressionDuration: PT5H
eventGroupingSettings:
  aggregationKind: SingleAlert
description: This rule generates an incident when an alarming number of anomalies are generated in the last 15 minutes.
query: |-
  NetBackupAlerts_CL
  | where Category contains "ANOMALY_NEW"
  | extend client =  split(Message, "client '")[1]
  | extend clientName = split(client, "'")[0]
  | summarize Total=count() by tostring(clientName)
  | where Total >= 10  
tactics:
- Discovery
- CredentialAccess
queryPeriod: 15m
suppressionEnabled: false
queryFrequency: 15m
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2e0efcd4-56d2-41df-9098-d6898a58c62b')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2e0efcd4-56d2-41df-9098-d6898a58c62b')]",
      "properties": {
        "alertRuleTemplateName": "2e0efcd4-56d2-41df-9098-d6898a58c62b",
        "customDetails": null,
        "description": "This rule generates an incident when an alarming number of anomalies are generated in the last 15 minutes.",
        "displayName": "Alarming number of anomalies generated in NetBackup",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "clientName",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veritas NetBackup/Analytic Rules/NetBackup_many_Anomalies.yaml",
        "query": "NetBackupAlerts_CL\n| where Category contains \"ANOMALY_NEW\"\n| extend client =  split(Message, \"client '\")[1]\n| extend clientName = split(client, \"'\")[0]\n| summarize Total=count() by tostring(clientName)\n| where Total >= 10",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "Discovery"
        ],
        "techniques": [
          "T1110",
          "T1212"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}