Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Objects for Protection Group Changed

Back
Idaf97a601-8fac-4628-bdad-5fc0511236b2
RulenameObjects for Protection Group Changed
DescriptionDetects when protection group objects are updated.
SeverityInformational
TacticsDefenseEvasion
TechniquesT1562.001
Required data connectorsSyslog
SyslogAma
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Objects_for_Protection_Group_Changed.yaml
Version1.0.0
Arm templateaf97a601-8fac-4628-bdad-5fc0511236b2.json
Deploy To Azure
Veeam_GetSecurityEvents
| where instanceId == 29140
| project
    Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),
    DataSource = original_host,
    EventId = instanceId,
    UserName = user,
  MessageDetails = Description,
    Severity = SeverityDescription
tactics:
- DefenseEvasion
name: Objects for Protection Group Changed
id: af97a601-8fac-4628-bdad-5fc0511236b2
requiredDataConnectors:
- connectorId: Syslog
  dataTypes:
  - Syslog
- connectorId: SyslogAma
  dataTypes:
  - Syslog
query: |-
  Veeam_GetSecurityEvents
  | where instanceId == 29140
  | project
      Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),
      DataSource = original_host,
      EventId = instanceId,
      UserName = user,
    MessageDetails = Description,
      Severity = SeverityDescription  
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1562.001
description: Detects when protection group objects are updated.
triggerOperator: gt
queryPeriod: 1d
severity: Informational
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Objects_for_Protection_Group_Changed.yaml
version: 1.0.0
triggerThreshold: 0
kind: Scheduled
queryFrequency: 1d
status: Available
customDetails:
  VbrHostName: DataSource
  EventId: EventId
  Severity: Severity
  Date: Date
  MessageDetails: MessageDetails
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/af97a601-8fac-4628-bdad-5fc0511236b2')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/af97a601-8fac-4628-bdad-5fc0511236b2')]",
      "properties": {
        "alertRuleTemplateName": "af97a601-8fac-4628-bdad-5fc0511236b2",
        "customDetails": {
          "Date": "Date",
          "EventId": "EventId",
          "MessageDetails": "MessageDetails",
          "Severity": "Severity",
          "VbrHostName": "DataSource"
        },
        "description": "Detects when protection group objects are updated.",
        "displayName": "Objects for Protection Group Changed",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Objects_for_Protection_Group_Changed.yaml",
        "query": "Veeam_GetSecurityEvents\n| where instanceId == 29140\n| project\n    Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),\n    DataSource = original_host,\n    EventId = instanceId,\n    UserName = user,\n  MessageDetails = Description,\n    Severity = SeverityDescription",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Informational",
        "status": "Available",
        "subTechniques": [
          "T1562.001"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}