AppServices AV Scan with Infected Files

Back


Id	9d0295ee-cb75-4f2c-9952-e5acfbb67036
Rulename	AppServices AV Scan with Infected Files
Description	Identifies if an AV scan finds infected files in Azure App Services.
Severity	Informational
Kind	Scheduled
Query frequency	1d
Query period	1d
Trigger threshold	1
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureAppServices/AVScan_Infected_Files_Found.yaml
Version	1.0.3
Arm template	9d0295ee-cb75-4f2c-9952-e5acfbb67036.json

KQL

let timeframe = ago(1d);
AppServiceAntivirusScanAuditLogs
| where NumberOfInfectedFiles > 0
| extend timestamp = TimeGenerated

YAML

description: |
    'Identifies if an AV scan finds infected files in Azure App Services.'
queryFrequency: 1d
metadata:
  author:
    name: SecurityJedi
  support:
    tier: Community
  categories:
    domains:
    - Security - Others
    - Platform
  source:
    kind: Community
entityMappings:
- fieldMappings:
  - identifier: AzureID
    columnName: _ResourceId
  entityType: Host
queryPeriod: 1d
query: |
  let timeframe = ago(1d);
  AppServiceAntivirusScanAuditLogs
  | where NumberOfInfectedFiles > 0
  | extend timestamp = TimeGenerated  
id: 9d0295ee-cb75-4f2c-9952-e5acfbb67036
name: AppServices AV Scan with Infected Files
kind: Scheduled
version: 1.0.3
severity: Informational
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureAppServices/AVScan_Infected_Files_Found.yaml
triggerThreshold: 1
triggerOperator: gt
requiredDataConnectors: []

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9d0295ee-cb75-4f2c-9952-e5acfbb67036')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9d0295ee-cb75-4f2c-9952-e5acfbb67036')]",
      "properties": {
        "alertRuleTemplateName": "9d0295ee-cb75-4f2c-9952-e5acfbb67036",
        "customDetails": null,
        "description": "'Identifies if an AV scan finds infected files in Azure App Services.'\n",
        "displayName": "AppServices AV Scan with Infected Files",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "_ResourceId",
                "identifier": "AzureID"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureAppServices/AVScan_Infected_Files_Found.yaml",
        "query": "let timeframe = ago(1d);\nAppServiceAntivirusScanAuditLogs\n| where NumberOfInfectedFiles > 0\n| extend timestamp = TimeGenerated\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Informational",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 1
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}