Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Alarming number of anomalies generated in NetBackup

Alarming number of anomalies generated in NetBackup

Back
Id2e0efcd4-56d2-41df-9098-d6898a58c62b
RulenameAlarming number of anomalies generated in NetBackup
DescriptionThis rule generates an incident when an alarming number of anomalies are generated in the last 15 minutes.
SeverityMedium
TacticsDiscovery
CredentialAccess
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veritas NetBackup/Analytic Rules/NetBackup_many_Anomalies.yaml
Version1.0.1
Arm template2e0efcd4-56d2-41df-9098-d6898a58c62b.json
Deploy To Azure
NetBackupAlerts_CL
| where Category contains "ANOMALY_NEW"
| extend client =  split(Message, "client '")[1]
| extend clientName = split(client, "'")[0]
| summarize Total=count() by tostring(clientName)
| where Total >= 10

kind: Scheduled
eventGroupingSettings:
  aggregationKind: SingleAlert
suppressionDuration: PT5H
techniques:
- T1110
- T1212
description: This rule generates an incident when an alarming number of anomalies are generated in the last 15 minutes.
severity: Medium
queryFrequency: 15m
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
    enabled: false
  createIncident: true
triggerThreshold: 0
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: clientName
    identifier: HostName
suppressionEnabled: false
status: Available
tactics:
- Discovery
- CredentialAccess
name: Alarming number of anomalies generated in NetBackup
id: 2e0efcd4-56d2-41df-9098-d6898a58c62b
query: |-
  NetBackupAlerts_CL
  | where Category contains "ANOMALY_NEW"
  | extend client =  split(Message, "client '")[1]
  | extend clientName = split(client, "'")[0]
  | summarize Total=count() by tostring(clientName)
  | where Total >= 10  
requiredDataConnectors: []
version: 1.0.1
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veritas NetBackup/Analytic Rules/NetBackup_many_Anomalies.yaml
queryPeriod: 15m

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2e0efcd4-56d2-41df-9098-d6898a58c62b')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2e0efcd4-56d2-41df-9098-d6898a58c62b')]",
      "properties": {
        "alertRuleTemplateName": "2e0efcd4-56d2-41df-9098-d6898a58c62b",
        "customDetails": null,
        "description": "This rule generates an incident when an alarming number of anomalies are generated in the last 15 minutes.",
        "displayName": "Alarming number of anomalies generated in NetBackup",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "clientName",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veritas NetBackup/Analytic Rules/NetBackup_many_Anomalies.yaml",
        "query": "NetBackupAlerts_CL\n| where Category contains \"ANOMALY_NEW\"\n| extend client =  split(Message, \"client '\")[1]\n| extend clientName = split(client, \"'\")[0]\n| summarize Total=count() by tostring(clientName)\n| where Total >= 10",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "Discovery"
        ],
        "techniques": [
          "T1110",
          "T1212"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}