Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Objects for Job Deleted

Back
Id5367e8fc-a150-468f-84f2-90ac1dabef15
RulenameObjects for Job Deleted
DescriptionDetects when objects are deleted from the job. This might indicate unauthorized removal of critical components.
SeverityHigh
Required data connectorsSyslog
SyslogAma
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Objects_for_Job_Deleted.yaml
Version1.0.1
Arm template5367e8fc-a150-468f-84f2-90ac1dabef15.json
Deploy To Azure
Veeam_GetSecurityEvents
| where instanceId == 32120
| extend JobName = extract("JobName=\"([^\"]*)\"", 1, SyslogMessage)
| project
    Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),
    DataSource = original_host,
    EventId = instanceId,
    ["User Name"] = user,
    ["Job Name"] = JobName,
    MessageDetails = Description,
   Severity = SeverityDescription
name: Objects for Job Deleted
eventGroupingSettings:
  aggregationKind: AlertPerResult
id: 5367e8fc-a150-468f-84f2-90ac1dabef15
requiredDataConnectors:
- connectorId: Syslog
  dataTypes:
  - Syslog
- connectorId: SyslogAma
  dataTypes:
  - Syslog
severity: High
triggerThreshold: 0
version: 1.0.1
description: Detects when objects are deleted from the job. This might indicate unauthorized removal of critical components.
relevantTechniques: []
kind: Scheduled
queryPeriod: 5m
tactics: []
customDetails:
  Severity: Severity
  MessageDetails: MessageDetails
  Date: Date
  VbrHostName: DataSource
  EventId: EventId
queryFrequency: 5m
status: Available
triggerOperator: gt
query: |-
  Veeam_GetSecurityEvents
  | where instanceId == 32120
  | extend JobName = extract("JobName=\"([^\"]*)\"", 1, SyslogMessage)
  | project
      Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),
      DataSource = original_host,
      EventId = instanceId,
      ["User Name"] = user,
      ["Job Name"] = JobName,
      MessageDetails = Description,
     Severity = SeverityDescription  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Objects_for_Job_Deleted.yaml
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5367e8fc-a150-468f-84f2-90ac1dabef15')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5367e8fc-a150-468f-84f2-90ac1dabef15')]",
      "properties": {
        "alertRuleTemplateName": "5367e8fc-a150-468f-84f2-90ac1dabef15",
        "customDetails": {
          "Date": "Date",
          "EventId": "EventId",
          "MessageDetails": "MessageDetails",
          "Severity": "Severity",
          "VbrHostName": "DataSource"
        },
        "description": "Detects when objects are deleted from the job. This might indicate unauthorized removal of critical components.",
        "displayName": "Objects for Job Deleted",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Objects_for_Job_Deleted.yaml",
        "query": "Veeam_GetSecurityEvents\n| where instanceId == 32120\n| extend JobName = extract(\"JobName=\\\"([^\\\"]*)\\\"\", 1, SyslogMessage)\n| project\n    Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),\n    DataSource = original_host,\n    EventId = instanceId,\n    [\"User Name\"] = user,\n    [\"Job Name\"] = JobName,\n    MessageDetails = Description,\n   Severity = SeverityDescription",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [],
        "techniques": [],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}