AppServices AV Scan with Infected Files

Back


Id	9d0295ee-cb75-4f2c-9952-e5acfbb67036
Rulename	AppServices AV Scan with Infected Files
Description	Identifies if an AV scan finds infected files in Azure App Services.
Severity	Informational
Kind	Scheduled
Query frequency	1d
Query period	1d
Trigger threshold	1
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureAppServices/AVScan_Infected_Files_Found.yaml
Version	1.0.3
Arm template	9d0295ee-cb75-4f2c-9952-e5acfbb67036.json

KQL

let timeframe = ago(1d);
AppServiceAntivirusScanAuditLogs
| where NumberOfInfectedFiles > 0
| extend timestamp = TimeGenerated

YAML

triggerOperator: gt
triggerThreshold: 1
name: AppServices AV Scan with Infected Files
metadata:
  support:
    tier: Community
  categories:
    domains:
    - Security - Others
    - Platform
  source:
    kind: Community
  author:
    name: SecurityJedi
queryPeriod: 1d
severity: Informational
kind: Scheduled
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: _ResourceId
    identifier: AzureID
queryFrequency: 1d
requiredDataConnectors: []
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureAppServices/AVScan_Infected_Files_Found.yaml
description: |
    'Identifies if an AV scan finds infected files in Azure App Services.'
query: |
  let timeframe = ago(1d);
  AppServiceAntivirusScanAuditLogs
  | where NumberOfInfectedFiles > 0
  | extend timestamp = TimeGenerated  
id: 9d0295ee-cb75-4f2c-9952-e5acfbb67036
version: 1.0.3

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9d0295ee-cb75-4f2c-9952-e5acfbb67036')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9d0295ee-cb75-4f2c-9952-e5acfbb67036')]",
      "properties": {
        "alertRuleTemplateName": "9d0295ee-cb75-4f2c-9952-e5acfbb67036",
        "customDetails": null,
        "description": "'Identifies if an AV scan finds infected files in Azure App Services.'\n",
        "displayName": "AppServices AV Scan with Infected Files",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "_ResourceId",
                "identifier": "AzureID"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureAppServices/AVScan_Infected_Files_Found.yaml",
        "query": "let timeframe = ago(1d);\nAppServiceAntivirusScanAuditLogs\n| where NumberOfInfectedFiles > 0\n| extend timestamp = TimeGenerated\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Informational",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 1
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}