Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Malware Event Detected

Back
Idb42424a6-10f4-447b-92a0-55ac38f4a475
RulenameMalware Event Detected
DescriptionDetects when restore points are marked as infected. This might indicate potential compromise of backup data.
SeverityMedium
TacticsImpact
TechniquesT1486
Required data connectorsVeeamCustomTablesDataConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Malware_Event_Detected.yaml
Version1.0.0
Arm templateb42424a6-10f4-447b-92a0-55ac38f4a475.json
Deploy To Azure
VeeamMalwareEvents_CL
entityMappings:
- fieldMappings:
  - columnName: VbrHostName
    identifier: HostName
  entityType: Host
triggerThreshold: 0
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Malware_Event_Detected.yaml
queryFrequency: 5m
eventGroupingSettings:
  aggregationKind: AlertPerResult
customDetails:
  MachineDisplayName: MachineDisplayName
  BackupObjectId: MachineBackupObjectId
  MachineUuid: MachineUuid
  VbrHostName: VbrHostName
relevantTechniques:
- T1486
triggerOperator: gt
id: b42424a6-10f4-447b-92a0-55ac38f4a475
requiredDataConnectors:
- connectorId: VeeamCustomTablesDataConnector
  dataTypes:
  - VeeamMalwareEvents_CL
version: 1.0.0
name: Malware Event Detected
tactics:
- Impact
description: Detects when restore points are marked as infected. This might indicate potential compromise of backup data.
query: VeeamMalwareEvents_CL
status: Available
queryPeriod: 5m
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b42424a6-10f4-447b-92a0-55ac38f4a475')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b42424a6-10f4-447b-92a0-55ac38f4a475')]",
      "properties": {
        "alertRuleTemplateName": "b42424a6-10f4-447b-92a0-55ac38f4a475",
        "customDetails": {
          "BackupObjectId": "MachineBackupObjectId",
          "MachineDisplayName": "MachineDisplayName",
          "MachineUuid": "MachineUuid",
          "VbrHostName": "VbrHostName"
        },
        "description": "Detects when restore points are marked as infected. This might indicate potential compromise of backup data.",
        "displayName": "Malware Event Detected",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "VbrHostName",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Malware_Event_Detected.yaml",
        "query": "VeeamMalwareEvents_CL",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1486"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}