AppServices AV Scan with Infected Files

Back


Id	9d0295ee-cb75-4f2c-9952-e5acfbb67036
Rulename	AppServices AV Scan with Infected Files
Description	Identifies if an AV scan finds infected files in Azure App Services.
Severity	Informational
Kind	Scheduled
Query frequency	1d
Query period	1d
Trigger threshold	1
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureAppServices/AVScan_Infected_Files_Found.yaml
Version	1.0.3
Arm template	9d0295ee-cb75-4f2c-9952-e5acfbb67036.json

KQL

let timeframe = ago(1d);
AppServiceAntivirusScanAuditLogs
| where NumberOfInfectedFiles > 0
| extend timestamp = TimeGenerated

YAML

requiredDataConnectors: []
triggerThreshold: 1
queryFrequency: 1d
queryPeriod: 1d
version: 1.0.3
id: 9d0295ee-cb75-4f2c-9952-e5acfbb67036
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureAppServices/AVScan_Infected_Files_Found.yaml
query: |
  let timeframe = ago(1d);
  AppServiceAntivirusScanAuditLogs
  | where NumberOfInfectedFiles > 0
  | extend timestamp = TimeGenerated  
metadata:
  support:
    tier: Community
  source:
    kind: Community
  categories:
    domains:
    - Security - Others
    - Platform
  author:
    name: SecurityJedi
entityMappings:
- fieldMappings:
  - identifier: AzureID
    columnName: _ResourceId
  entityType: Host
severity: Informational
name: AppServices AV Scan with Infected Files
triggerOperator: gt
kind: Scheduled
description: |
    'Identifies if an AV scan finds infected files in Azure App Services.'

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9d0295ee-cb75-4f2c-9952-e5acfbb67036')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9d0295ee-cb75-4f2c-9952-e5acfbb67036')]",
      "properties": {
        "alertRuleTemplateName": "9d0295ee-cb75-4f2c-9952-e5acfbb67036",
        "customDetails": null,
        "description": "'Identifies if an AV scan finds infected files in Azure App Services.'\n",
        "displayName": "AppServices AV Scan with Infected Files",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "_ResourceId",
                "identifier": "AzureID"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureAppServices/AVScan_Infected_Files_Found.yaml",
        "query": "let timeframe = ago(1d);\nAppServiceAntivirusScanAuditLogs\n| where NumberOfInfectedFiles > 0\n| extend timestamp = TimeGenerated\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Informational",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 1
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}