Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

AppServices AV Scan with Infected Files

Back
Id9d0295ee-cb75-4f2c-9952-e5acfbb67036
RulenameAppServices AV Scan with Infected Files
DescriptionIdentifies if an AV scan finds infected files in Azure App Services.
SeverityInformational
KindScheduled
Query frequency1d
Query period1d
Trigger threshold1
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureAppServices/AVScan_Infected_Files_Found.yaml
Version1.0.2
Arm template9d0295ee-cb75-4f2c-9952-e5acfbb67036.json
Deploy To Azure
let timeframe = ago(1d);
AppServiceAntivirusScanAuditLogs
| where NumberOfInfectedFiles > 0
| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated
severity: Informational
queryFrequency: 1d
triggerOperator: gt
kind: Scheduled
query: |
  let timeframe = ago(1d);
  AppServiceAntivirusScanAuditLogs
  | where NumberOfInfectedFiles > 0
  | extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureAppServices/AVScan_Infected_Files_Found.yaml
queryPeriod: 1d
version: 1.0.2
metadata:
  support:
    tier: Community
  source:
    kind: Community
  categories:
    domains:
    - Security - Others
    - Platform
  author:
    name: SecurityJedi
name: AppServices AV Scan with Infected Files
requiredDataConnectors: []
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: HostCustomEntity
id: 9d0295ee-cb75-4f2c-9952-e5acfbb67036
description: |
    'Identifies if an AV scan finds infected files in Azure App Services.'
triggerThreshold: 1
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9d0295ee-cb75-4f2c-9952-e5acfbb67036')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9d0295ee-cb75-4f2c-9952-e5acfbb67036')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "AppServices AV Scan with Infected Files",
        "description": "'Identifies if an AV scan finds infected files in Azure App Services.'\n",
        "severity": "Informational",
        "enabled": true,
        "query": "let timeframe = ago(1d);\nAppServiceAntivirusScanAuditLogs\n| where NumberOfInfectedFiles > 0\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 1,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "alertRuleTemplateName": "9d0295ee-cb75-4f2c-9952-e5acfbb67036",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "FullName"
              }
            ],
            "entityType": "Host"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureAppServices/AVScan_Infected_Files_Found.yaml",
        "templateVersion": "1.0.2"
      }
    }
  ]
}