Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Veeam ONE Backup Copy RPO

Back
Id7fb6d1b6-48e4-442b-ba4d-1b5fb5fa379b
RulenameVeeam ONE Backup Copy RPO
DescriptionDetects Veeam ONE Backup Copy RPO violation alerts.
SeverityHigh
TacticsImpact
TechniquesT1490
Required data connectorsVeeamCustomTablesDataConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Veeam_One_Backup_Copy_RPO.yaml
Version1.0.0
Arm template7fb6d1b6-48e4-442b-ba4d-1b5fb5fa379b.json
Deploy To Azure
VeeamOneTriggeredAlarms_CL | where PredefinedAlarmId == 365
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Veeam_One_Backup_Copy_RPO.yaml
triggerThreshold: 0
severity: High
queryFrequency: 5m
eventGroupingSettings:
  aggregationKind: AlertPerResult
customDetails:
  TriggeredAlarmId: TriggeredAlarmId
  Status: Status
  Comment: Comment
  ObjectName: ObjectName
  Description: Description
  VoneHostName: VoneHostName
  ObjectType: ObjectType
  Name: Name
  PredefinedAlarmId: PredefinedAlarmId
  TriggeredTime: TriggeredTime
  ObjectId: ObjectId
relevantTechniques:
- T1490
triggerOperator: gt
id: 7fb6d1b6-48e4-442b-ba4d-1b5fb5fa379b
requiredDataConnectors:
- connectorId: VeeamCustomTablesDataConnector
  dataTypes:
  - VeeamOneTriggeredAlarms_CL
version: 1.0.0
name: Veeam ONE Backup Copy RPO
tactics:
- Impact
description: Detects Veeam ONE Backup Copy RPO violation alerts.
query: VeeamOneTriggeredAlarms_CL | where PredefinedAlarmId == 365
status: Available
queryPeriod: 5m
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7fb6d1b6-48e4-442b-ba4d-1b5fb5fa379b')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7fb6d1b6-48e4-442b-ba4d-1b5fb5fa379b')]",
      "properties": {
        "alertRuleTemplateName": "7fb6d1b6-48e4-442b-ba4d-1b5fb5fa379b",
        "customDetails": {
          "Comment": "Comment",
          "Description": "Description",
          "Name": "Name",
          "ObjectId": "ObjectId",
          "ObjectName": "ObjectName",
          "ObjectType": "ObjectType",
          "PredefinedAlarmId": "PredefinedAlarmId",
          "Status": "Status",
          "TriggeredAlarmId": "TriggeredAlarmId",
          "TriggeredTime": "TriggeredTime",
          "VoneHostName": "VoneHostName"
        },
        "description": "Detects Veeam ONE Backup Copy RPO violation alerts.",
        "displayName": "Veeam ONE Backup Copy RPO",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Veeam_One_Backup_Copy_RPO.yaml",
        "query": "VeeamOneTriggeredAlarms_CL | where PredefinedAlarmId == 365",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1490"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}