Veeam ONE Backup Copy RPO

Back


Id	7fb6d1b6-48e4-442b-ba4d-1b5fb5fa379b
Rulename	Veeam ONE Backup Copy RPO
Description	Detects Veeam ONE Backup Copy RPO violation alerts.
Severity	High
Tactics	Impact
Techniques	T1490
Required data connectors	VeeamCustomTablesDataConnector
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Veeam_One_Backup_Copy_RPO.yaml
Version	1.0.0
Arm template	7fb6d1b6-48e4-442b-ba4d-1b5fb5fa379b.json

KQL

VeeamOneTriggeredAlarms_CL | where PredefinedAlarmId == 365

YAML

tactics:
- Impact
name: Veeam ONE Backup Copy RPO
id: 7fb6d1b6-48e4-442b-ba4d-1b5fb5fa379b
requiredDataConnectors:
- connectorId: VeeamCustomTablesDataConnector
  dataTypes:
  - VeeamOneTriggeredAlarms_CL
query: VeeamOneTriggeredAlarms_CL | where PredefinedAlarmId == 365
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1490
description: Detects Veeam ONE Backup Copy RPO violation alerts.
triggerOperator: gt
queryPeriod: 5m
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Veeam_One_Backup_Copy_RPO.yaml
version: 1.0.0
triggerThreshold: 0
kind: Scheduled
queryFrequency: 5m
status: Available
customDetails:
  Name: Name
  ObjectType: ObjectType
  TriggeredTime: TriggeredTime
  TriggeredAlarmId: TriggeredAlarmId
  VoneHostName: VoneHostName
  Comment: Comment
  PredefinedAlarmId: PredefinedAlarmId
  Status: Status
  Description: Description
  ObjectId: ObjectId
  ObjectName: ObjectName

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7fb6d1b6-48e4-442b-ba4d-1b5fb5fa379b')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7fb6d1b6-48e4-442b-ba4d-1b5fb5fa379b')]",
      "properties": {
        "alertRuleTemplateName": "7fb6d1b6-48e4-442b-ba4d-1b5fb5fa379b",
        "customDetails": {
          "Comment": "Comment",
          "Description": "Description",
          "Name": "Name",
          "ObjectId": "ObjectId",
          "ObjectName": "ObjectName",
          "ObjectType": "ObjectType",
          "PredefinedAlarmId": "PredefinedAlarmId",
          "Status": "Status",
          "TriggeredAlarmId": "TriggeredAlarmId",
          "TriggeredTime": "TriggeredTime",
          "VoneHostName": "VoneHostName"
        },
        "description": "Detects Veeam ONE Backup Copy RPO violation alerts.",
        "displayName": "Veeam ONE Backup Copy RPO",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Veeam_One_Backup_Copy_RPO.yaml",
        "query": "VeeamOneTriggeredAlarms_CL | where PredefinedAlarmId == 365",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1490"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}