AppServices AV Scan with Infected Files

Back


Id	9d0295ee-cb75-4f2c-9952-e5acfbb67036
Rulename	AppServices AV Scan with Infected Files
Description	Identifies if an AV scan finds infected files in Azure App Services.
Severity	Informational
Kind	Scheduled
Query frequency	1d
Query period	1d
Trigger threshold	1
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureAppServices/AVScan_Infected_Files_Found.yaml
Version	1.0.3
Arm template	9d0295ee-cb75-4f2c-9952-e5acfbb67036.json

KQL

let timeframe = ago(1d);
AppServiceAntivirusScanAuditLogs
| where NumberOfInfectedFiles > 0
| extend timestamp = TimeGenerated

YAML

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureAppServices/AVScan_Infected_Files_Found.yaml
query: |
  let timeframe = ago(1d);
  AppServiceAntivirusScanAuditLogs
  | where NumberOfInfectedFiles > 0
  | extend timestamp = TimeGenerated  
description: |
    'Identifies if an AV scan finds infected files in Azure App Services.'
severity: Informational
name: AppServices AV Scan with Infected Files
triggerThreshold: 1
metadata:
  source:
    kind: Community
  categories:
    domains:
    - Security - Others
    - Platform
  author:
    name: SecurityJedi
  support:
    tier: Community
requiredDataConnectors: []
version: 1.0.3
triggerOperator: gt
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: _ResourceId
    identifier: AzureID
id: 9d0295ee-cb75-4f2c-9952-e5acfbb67036
kind: Scheduled
queryFrequency: 1d
queryPeriod: 1d

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9d0295ee-cb75-4f2c-9952-e5acfbb67036')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9d0295ee-cb75-4f2c-9952-e5acfbb67036')]",
      "properties": {
        "alertRuleTemplateName": "9d0295ee-cb75-4f2c-9952-e5acfbb67036",
        "customDetails": null,
        "description": "'Identifies if an AV scan finds infected files in Azure App Services.'\n",
        "displayName": "AppServices AV Scan with Infected Files",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "_ResourceId",
                "identifier": "AzureID"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureAppServices/AVScan_Infected_Files_Found.yaml",
        "query": "let timeframe = ago(1d);\nAppServiceAntivirusScanAuditLogs\n| where NumberOfInfectedFiles > 0\n| extend timestamp = TimeGenerated\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Informational",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 1
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}