Malware Event Detected

Back


Id	b42424a6-10f4-447b-92a0-55ac38f4a475
Rulename	Malware Event Detected
Description	Detects when restore points are marked as infected. This might indicate potential compromise of backup data.
Severity	Medium
Tactics	Impact
Techniques	T1486
Required data connectors	VeeamCustomTablesDataConnector
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Malware_Event_Detected.yaml
Version	1.0.0
Arm template	b42424a6-10f4-447b-92a0-55ac38f4a475.json

KQL

VeeamMalwareEvents_CL

YAML

tactics:
- Impact
name: Malware Event Detected
id: b42424a6-10f4-447b-92a0-55ac38f4a475
requiredDataConnectors:
- connectorId: VeeamCustomTablesDataConnector
  dataTypes:
  - VeeamMalwareEvents_CL
query: VeeamMalwareEvents_CL
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1486
description: Detects when restore points are marked as infected. This might indicate potential compromise of backup data.
triggerOperator: gt
queryPeriod: 5m
severity: Medium
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: VbrHostName
  entityType: Host
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Malware_Event_Detected.yaml
version: 1.0.0
triggerThreshold: 0
kind: Scheduled
queryFrequency: 5m
status: Available
customDetails:
  MachineDisplayName: MachineDisplayName
  MachineUuid: MachineUuid
  BackupObjectId: MachineBackupObjectId
  VbrHostName: VbrHostName

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b42424a6-10f4-447b-92a0-55ac38f4a475')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b42424a6-10f4-447b-92a0-55ac38f4a475')]",
      "properties": {
        "alertRuleTemplateName": "b42424a6-10f4-447b-92a0-55ac38f4a475",
        "customDetails": {
          "BackupObjectId": "MachineBackupObjectId",
          "MachineDisplayName": "MachineDisplayName",
          "MachineUuid": "MachineUuid",
          "VbrHostName": "VbrHostName"
        },
        "description": "Detects when restore points are marked as infected. This might indicate potential compromise of backup data.",
        "displayName": "Malware Event Detected",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "VbrHostName",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Malware_Event_Detected.yaml",
        "query": "VeeamMalwareEvents_CL",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1486"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}