AppServices AV Scan with Infected Files

Back


Id	9d0295ee-cb75-4f2c-9952-e5acfbb67036
Rulename	AppServices AV Scan with Infected Files
Description	Identifies if an AV scan finds infected files in Azure App Services.
Severity	Informational
Kind	Scheduled
Query frequency	1d
Query period	1d
Trigger threshold	1
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureAppServices/AVScan_Infected_Files_Found.yaml
Version	1.0.3
Arm template	9d0295ee-cb75-4f2c-9952-e5acfbb67036.json

KQL

let timeframe = ago(1d);
AppServiceAntivirusScanAuditLogs
| where NumberOfInfectedFiles > 0
| extend timestamp = TimeGenerated

YAML

metadata:
  categories:
    domains:
    - Security - Others
    - Platform
  author:
    name: SecurityJedi
  source:
    kind: Community
  support:
    tier: Community
id: 9d0295ee-cb75-4f2c-9952-e5acfbb67036
query: |
  let timeframe = ago(1d);
  AppServiceAntivirusScanAuditLogs
  | where NumberOfInfectedFiles > 0
  | extend timestamp = TimeGenerated  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureAppServices/AVScan_Infected_Files_Found.yaml
description: |
    'Identifies if an AV scan finds infected files in Azure App Services.'
name: AppServices AV Scan with Infected Files
triggerOperator: gt
triggerThreshold: 1
severity: Informational
requiredDataConnectors: []
queryFrequency: 1d
queryPeriod: 1d
version: 1.0.3
kind: Scheduled
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: AzureID
    columnName: _ResourceId

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9d0295ee-cb75-4f2c-9952-e5acfbb67036')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9d0295ee-cb75-4f2c-9952-e5acfbb67036')]",
      "properties": {
        "alertRuleTemplateName": "9d0295ee-cb75-4f2c-9952-e5acfbb67036",
        "customDetails": null,
        "description": "'Identifies if an AV scan finds infected files in Azure App Services.'\n",
        "displayName": "AppServices AV Scan with Infected Files",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "_ResourceId",
                "identifier": "AzureID"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureAppServices/AVScan_Infected_Files_Found.yaml",
        "query": "let timeframe = ago(1d);\nAppServiceAntivirusScanAuditLogs\n| where NumberOfInfectedFiles > 0\n| extend timestamp = TimeGenerated\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Informational",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 1
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}