Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Veeam ONE Possible Ransomware Activity vSphere

Back
Id37d97c4d-a42f-495b-a523-376416b278b5
RulenameVeeam ONE Possible Ransomware Activity (vSphere)
DescriptionDetects Veeam ONE possible ransomware activity alerts for VMware vSphere.
SeverityHigh
Required data connectorsVeeamCustomTablesDataConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Veeam_One_Possible_ransomware_activity_vSphere.yaml
Version1.0.0
Arm template37d97c4d-a42f-495b-a523-376416b278b5.json
Deploy To Azure
VeeamOneTriggeredAlarms_CL | where PredefinedAlarmId == 342
tactics: []
name: Veeam ONE Possible Ransomware Activity (vSphere)
id: 37d97c4d-a42f-495b-a523-376416b278b5
requiredDataConnectors:
- connectorId: VeeamCustomTablesDataConnector
  dataTypes:
  - VeeamOneTriggeredAlarms_CL
query: VeeamOneTriggeredAlarms_CL | where PredefinedAlarmId == 342
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques: []
description: Detects Veeam ONE possible ransomware activity alerts for VMware vSphere.
triggerOperator: gt
queryPeriod: 5m
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Veeam_One_Possible_ransomware_activity_vSphere.yaml
version: 1.0.0
triggerThreshold: 0
kind: Scheduled
queryFrequency: 5m
status: Available
customDetails:
  Name: Name
  ObjectType: ObjectType
  TriggeredTime: TriggeredTime
  TriggeredAlarmId: TriggeredAlarmId
  VoneHostName: VoneHostName
  Comment: Comment
  PredefinedAlarmId: PredefinedAlarmId
  Status: Status
  Description: Description
  ObjectId: ObjectId
  ObjectName: ObjectName
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/37d97c4d-a42f-495b-a523-376416b278b5')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/37d97c4d-a42f-495b-a523-376416b278b5')]",
      "properties": {
        "alertRuleTemplateName": "37d97c4d-a42f-495b-a523-376416b278b5",
        "customDetails": {
          "Comment": "Comment",
          "Description": "Description",
          "Name": "Name",
          "ObjectId": "ObjectId",
          "ObjectName": "ObjectName",
          "ObjectType": "ObjectType",
          "PredefinedAlarmId": "PredefinedAlarmId",
          "Status": "Status",
          "TriggeredAlarmId": "TriggeredAlarmId",
          "TriggeredTime": "TriggeredTime",
          "VoneHostName": "VoneHostName"
        },
        "description": "Detects Veeam ONE possible ransomware activity alerts for VMware vSphere.",
        "displayName": "Veeam ONE Possible Ransomware Activity (vSphere)",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Veeam_One_Possible_ransomware_activity_vSphere.yaml",
        "query": "VeeamOneTriggeredAlarms_CL | where PredefinedAlarmId == 342",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [],
        "techniques": [],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}