Veeam ONE Possible Ransomware Activity vSphere

Back


Id	37d97c4d-a42f-495b-a523-376416b278b5
Rulename	Veeam ONE Possible Ransomware Activity (vSphere)
Description	Detects Veeam ONE possible ransomware activity alerts for VMware vSphere.
Severity	High
Required data connectors	VeeamCustomTablesDataConnector
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Veeam_One_Possible_ransomware_activity_vSphere.yaml
Version	1.0.1
Arm template	37d97c4d-a42f-495b-a523-376416b278b5.json

KQL

VeeamOneTriggeredAlarms_CL | where PredefinedAlarmId == 342

YAML

name: Veeam ONE Possible Ransomware Activity (vSphere)
eventGroupingSettings:
  aggregationKind: AlertPerResult
id: 37d97c4d-a42f-495b-a523-376416b278b5
requiredDataConnectors:
- connectorId: VeeamCustomTablesDataConnector
  dataTypes:
  - VeeamOneTriggeredAlarms_CL
severity: High
triggerThreshold: 0
version: 1.0.1
description: Detects Veeam ONE possible ransomware activity alerts for VMware vSphere.
relevantTechniques: []
kind: Scheduled
queryPeriod: 5m
tactics: []
customDetails:
  ObjectType: ObjectType
  ObjectId: ObjectId
  TriggeredAlarmId: TriggeredAlarmId
  VoneHostName: VoneHostName
  Description: Description
  TriggeredTime: TriggeredTime
  Comment: Comment
  PredefinedAlarmId: PredefinedAlarmId
  Name: Name
  ObjectName: ObjectName
  Status: Status
queryFrequency: 5m
status: Available
triggerOperator: gt
query: VeeamOneTriggeredAlarms_CL | where PredefinedAlarmId == 342
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Veeam_One_Possible_ransomware_activity_vSphere.yaml

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/37d97c4d-a42f-495b-a523-376416b278b5')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/37d97c4d-a42f-495b-a523-376416b278b5')]",
      "properties": {
        "alertRuleTemplateName": "37d97c4d-a42f-495b-a523-376416b278b5",
        "customDetails": {
          "Comment": "Comment",
          "Description": "Description",
          "Name": "Name",
          "ObjectId": "ObjectId",
          "ObjectName": "ObjectName",
          "ObjectType": "ObjectType",
          "PredefinedAlarmId": "PredefinedAlarmId",
          "Status": "Status",
          "TriggeredAlarmId": "TriggeredAlarmId",
          "TriggeredTime": "TriggeredTime",
          "VoneHostName": "VoneHostName"
        },
        "description": "Detects Veeam ONE possible ransomware activity alerts for VMware vSphere.",
        "displayName": "Veeam ONE Possible Ransomware Activity (vSphere)",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Veeam_One_Possible_ransomware_activity_vSphere.yaml",
        "query": "VeeamOneTriggeredAlarms_CL | where PredefinedAlarmId == 342",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [],
        "techniques": [],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}