Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Malware Activity Detected

Back
Id9a7c80ef-8dc2-4b07-834d-b9ca18d603f7
RulenameMalware Activity Detected
DescriptionDetects when restore points marked as suspicious. This might indicate potential compromise of backup data.
SeverityHigh
TacticsImpact
TechniquesT1486
Required data connectorsSyslog
SyslogAma
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Malware_Activity_Detected.yaml
Version1.0.1
Arm template9a7c80ef-8dc2-4b07-834d-b9ca18d603f7.json
Deploy To Azure
Veeam_GetSecurityEvents
| where instanceId == 41600
| extend ActivityType = extract("ActivityType=\"([^\"]*)\"", 1, SyslogMessage)
| extend MachineDisplayName = extract("[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\\s*\\(([^)]+)\\)", 1, Description)
| extend MachineUuid = extract("([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})", 1, Description)
| project
    Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),
    DataSource = original_host,
    EventId = instanceId,
    UserName = user,
    ["Malware Detection Method"] = ActivityType,
    MessageDetails = Description,
    Severity = SeverityDescription,
    MachineDisplayName,
    MachineUuid
tactics:
- Impact
name: Malware Activity Detected
id: 9a7c80ef-8dc2-4b07-834d-b9ca18d603f7
requiredDataConnectors:
- connectorId: Syslog
  dataTypes:
  - Syslog
- connectorId: SyslogAma
  dataTypes:
  - Syslog
query: |
  Veeam_GetSecurityEvents
  | where instanceId == 41600
  | extend ActivityType = extract("ActivityType=\"([^\"]*)\"", 1, SyslogMessage)
  | extend MachineDisplayName = extract("[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\\s*\\(([^)]+)\\)", 1, Description)
  | extend MachineUuid = extract("([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})", 1, Description)
  | project
      Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),
      DataSource = original_host,
      EventId = instanceId,
      UserName = user,
      ["Malware Detection Method"] = ActivityType,
      MessageDetails = Description,
      Severity = SeverityDescription,
      MachineDisplayName,
      MachineUuid  
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1486
description: Detects when restore points marked as suspicious. This might indicate potential compromise of backup data.
triggerOperator: gt
queryPeriod: 5m
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Malware_Activity_Detected.yaml
version: 1.0.1
triggerThreshold: 0
kind: Scheduled
queryFrequency: 5m
status: Available
customDetails:
  VbrHostName: DataSource
  MachineDisplayName: MachineDisplayName
  EventId: EventId
  Severity: Severity
  MachineUuid: MachineUuid
  Date: Date
  MessageDetails: MessageDetails
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9a7c80ef-8dc2-4b07-834d-b9ca18d603f7')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9a7c80ef-8dc2-4b07-834d-b9ca18d603f7')]",
      "properties": {
        "alertRuleTemplateName": "9a7c80ef-8dc2-4b07-834d-b9ca18d603f7",
        "customDetails": {
          "Date": "Date",
          "EventId": "EventId",
          "MachineDisplayName": "MachineDisplayName",
          "MachineUuid": "MachineUuid",
          "MessageDetails": "MessageDetails",
          "Severity": "Severity",
          "VbrHostName": "DataSource"
        },
        "description": "Detects when restore points marked as suspicious. This might indicate potential compromise of backup data.",
        "displayName": "Malware Activity Detected",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Malware_Activity_Detected.yaml",
        "query": "Veeam_GetSecurityEvents\n| where instanceId == 41600\n| extend ActivityType = extract(\"ActivityType=\\\"([^\\\"]*)\\\"\", 1, SyslogMessage)\n| extend MachineDisplayName = extract(\"[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\\\\s*\\\\(([^)]+)\\\\)\", 1, Description)\n| extend MachineUuid = extract(\"([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})\", 1, Description)\n| project\n    Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),\n    DataSource = original_host,\n    EventId = instanceId,\n    UserName = user,\n    [\"Malware Detection Method\"] = ActivityType,\n    MessageDetails = Description,\n    Severity = SeverityDescription,\n    MachineDisplayName,\n    MachineUuid\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1486"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}