Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Alarming number of anomalies generated in NetBackup

Alarming number of anomalies generated in NetBackup

Back
Id2e0efcd4-56d2-41df-9098-d6898a58c62b
RulenameAlarming number of anomalies generated in NetBackup
DescriptionThis rule generates an incident when an alarming number of anomalies are generated in the last 15 minutes.
SeverityMedium
TacticsDiscovery
CredentialAccess
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veritas NetBackup/Analytic Rules/NetBackup_many_Anomalies.yaml
Version1.0.1
Arm template2e0efcd4-56d2-41df-9098-d6898a58c62b.json
Deploy To Azure
NetBackupAlerts_CL
| where Category contains "ANOMALY_NEW"
| extend client =  split(Message, "client '")[1]
| extend clientName = split(client, "'")[0]
| summarize Total=count() by tostring(clientName)
| where Total >= 10

incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: AllEntities
    enabled: false
    lookbackDuration: PT5H
requiredDataConnectors: []
query: |-
  NetBackupAlerts_CL
  | where Category contains "ANOMALY_NEW"
  | extend client =  split(Message, "client '")[1]
  | extend clientName = split(client, "'")[0]
  | summarize Total=count() by tostring(clientName)
  | where Total >= 10  
description: This rule generates an incident when an alarming number of anomalies are generated in the last 15 minutes.
kind: Scheduled
name: Alarming number of anomalies generated in NetBackup
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veritas NetBackup/Analytic Rules/NetBackup_many_Anomalies.yaml
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: clientName
  entityType: Host
queryFrequency: 15m
version: 1.0.1
tactics:
- Discovery
- CredentialAccess
id: 2e0efcd4-56d2-41df-9098-d6898a58c62b
suppressionDuration: PT5H
eventGroupingSettings:
  aggregationKind: SingleAlert
suppressionEnabled: false
triggerThreshold: 0
techniques:
- T1110
- T1212
status: Available
queryPeriod: 15m
triggerOperator: gt
severity: Medium

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2e0efcd4-56d2-41df-9098-d6898a58c62b')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2e0efcd4-56d2-41df-9098-d6898a58c62b')]",
      "properties": {
        "alertRuleTemplateName": "2e0efcd4-56d2-41df-9098-d6898a58c62b",
        "customDetails": null,
        "description": "This rule generates an incident when an alarming number of anomalies are generated in the last 15 minutes.",
        "displayName": "Alarming number of anomalies generated in NetBackup",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "clientName",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veritas NetBackup/Analytic Rules/NetBackup_many_Anomalies.yaml",
        "query": "NetBackupAlerts_CL\n| where Category contains \"ANOMALY_NEW\"\n| extend client =  split(Message, \"client '\")[1]\n| extend clientName = split(client, \"'\")[0]\n| summarize Total=count() by tostring(clientName)\n| where Total >= 10",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "Discovery"
        ],
        "techniques": [
          "T1110",
          "T1212"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}