Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Objects Added to Malware Detection Exclusions

Back
Ida8ebf22b-a050-434c-8095-2267f206257a
RulenameObjects Added to Malware Detection Exclusions
DescriptionDetects when an object is added to malware detection exclusions.
SeverityHigh
Required data connectorsSyslog
SyslogAma
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Objects_Added_to_Malware_Detection_Exclusions.yaml
Version1.0.1
Arm templatea8ebf22b-a050-434c-8095-2267f206257a.json
Deploy To Azure
Veeam_GetSecurityEvents
| where instanceId == 42260
| extend AddedObjectNames = extract("AddedObjectNames=\"([^\"]*)\"", 1, SyslogMessage)
| project
    Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),
    DataSource = original_host,
    EventId = instanceId,
    ["Object Names"] = AddedObjectNames,
    MessageDetails = Description,
    Severity = SeverityDescription
name: Objects Added to Malware Detection Exclusions
eventGroupingSettings:
  aggregationKind: AlertPerResult
id: a8ebf22b-a050-434c-8095-2267f206257a
requiredDataConnectors:
- connectorId: Syslog
  dataTypes:
  - Syslog
- connectorId: SyslogAma
  dataTypes:
  - Syslog
severity: High
triggerThreshold: 0
version: 1.0.1
description: Detects when an object is added to malware detection exclusions.
relevantTechniques: []
kind: Scheduled
queryPeriod: 5m
tactics: []
customDetails:
  Severity: Severity
  MessageDetails: MessageDetails
  Date: Date
  VbrHostName: DataSource
  EventId: EventId
queryFrequency: 5m
status: Available
triggerOperator: gt
query: |-
  Veeam_GetSecurityEvents
  | where instanceId == 42260
  | extend AddedObjectNames = extract("AddedObjectNames=\"([^\"]*)\"", 1, SyslogMessage)
  | project
      Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),
      DataSource = original_host,
      EventId = instanceId,
      ["Object Names"] = AddedObjectNames,
      MessageDetails = Description,
      Severity = SeverityDescription  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Objects_Added_to_Malware_Detection_Exclusions.yaml
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a8ebf22b-a050-434c-8095-2267f206257a')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a8ebf22b-a050-434c-8095-2267f206257a')]",
      "properties": {
        "alertRuleTemplateName": "a8ebf22b-a050-434c-8095-2267f206257a",
        "customDetails": {
          "Date": "Date",
          "EventId": "EventId",
          "MessageDetails": "MessageDetails",
          "Severity": "Severity",
          "VbrHostName": "DataSource"
        },
        "description": "Detects when an object is added to malware detection exclusions.",
        "displayName": "Objects Added to Malware Detection Exclusions",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Objects_Added_to_Malware_Detection_Exclusions.yaml",
        "query": "Veeam_GetSecurityEvents\n| where instanceId == 42260\n| extend AddedObjectNames = extract(\"AddedObjectNames=\\\"([^\\\"]*)\\\"\", 1, SyslogMessage)\n| project\n    Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),\n    DataSource = original_host,\n    EventId = instanceId,\n    [\"Object Names\"] = AddedObjectNames,\n    MessageDetails = Description,\n    Severity = SeverityDescription",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [],
        "techniques": [],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}