Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Malware Detection Exclusions List Updated

Back
Id401e91cb-b53f-41a5-b066-1c028b3b51db
RulenameMalware Detection Exclusions List Updated
DescriptionDetects when malware detection exclusions are updated. This might indicate potential compromise of backup data.
SeverityMedium
TacticsDefenseEvasion
Impact
TechniquesT1562.001
T1486
Required data connectorsSyslog
SyslogAma
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Malware_Detection_Exclusions_List_Updated.yaml
Version1.0.0
Arm template401e91cb-b53f-41a5-b066-1c028b3b51db.json
Deploy To Azure
Veeam_GetSecurityEvents
| where instanceId == 42280
| project
  Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),
    DataSource = original_host,
    EventId = instanceId,
    UserName = user,
   MessageDetails = Description,
   Severity = SeverityDescription
| project Date, DataSource, EventId, UserName,MessageDetails,Severity
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Malware_Detection_Exclusions_List_Updated.yaml
triggerThreshold: 0
severity: Medium
queryFrequency: 5m
eventGroupingSettings:
  aggregationKind: AlertPerResult
customDetails:
  EventId: EventId
  Date: Date
  Severity: Severity
  MessageDetails: MessageDetails
  VbrHostName: DataSource
relevantTechniques:
- T1562.001
- T1486
triggerOperator: gt
id: 401e91cb-b53f-41a5-b066-1c028b3b51db
requiredDataConnectors:
- connectorId: Syslog
  dataTypes:
  - Syslog
- connectorId: SyslogAma
  dataTypes:
  - Syslog
version: 1.0.0
name: Malware Detection Exclusions List Updated
tactics:
- DefenseEvasion
- Impact
description: Detects when malware detection exclusions are updated. This might indicate potential compromise of backup data.
query: |-
  Veeam_GetSecurityEvents
  | where instanceId == 42280
  | project
    Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),
      DataSource = original_host,
      EventId = instanceId,
      UserName = user,
     MessageDetails = Description,
     Severity = SeverityDescription
  | project Date, DataSource, EventId, UserName,MessageDetails,Severity  
status: Available
queryPeriod: 5m
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/401e91cb-b53f-41a5-b066-1c028b3b51db')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/401e91cb-b53f-41a5-b066-1c028b3b51db')]",
      "properties": {
        "alertRuleTemplateName": "401e91cb-b53f-41a5-b066-1c028b3b51db",
        "customDetails": {
          "Date": "Date",
          "EventId": "EventId",
          "MessageDetails": "MessageDetails",
          "Severity": "Severity",
          "VbrHostName": "DataSource"
        },
        "description": "Detects when malware detection exclusions are updated. This might indicate potential compromise of backup data.",
        "displayName": "Malware Detection Exclusions List Updated",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Malware_Detection_Exclusions_List_Updated.yaml",
        "query": "Veeam_GetSecurityEvents\n| where instanceId == 42280\n| project\n  Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),\n    DataSource = original_host,\n    EventId = instanceId,\n    UserName = user,\n   MessageDetails = Description,\n   Severity = SeverityDescription\n| project Date, DataSource, EventId, UserName,MessageDetails,Severity",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [
          "T1562.001"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "Impact"
        ],
        "techniques": [
          "T1486",
          "T1562"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}