Malware Event Detected

Back


Id	b42424a6-10f4-447b-92a0-55ac38f4a475
Rulename	Malware Event Detected
Description	Detects when restore points are marked as infected. This might indicate potential compromise of backup data.
Severity	Medium
Tactics	Impact
Techniques	T1486
Required data connectors	VeeamCustomTablesDataConnector
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Malware_Event_Detected.yaml
Version	1.0.0
Arm template	b42424a6-10f4-447b-92a0-55ac38f4a475.json

KQL

VeeamMalwareEvents_CL

YAML

entityMappings:
- fieldMappings:
  - columnName: VbrHostName
    identifier: HostName
  entityType: Host
triggerThreshold: 0
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Malware_Event_Detected.yaml
queryFrequency: 5m
eventGroupingSettings:
  aggregationKind: AlertPerResult
customDetails:
  MachineDisplayName: MachineDisplayName
  BackupObjectId: MachineBackupObjectId
  MachineUuid: MachineUuid
  VbrHostName: VbrHostName
relevantTechniques:
- T1486
triggerOperator: gt
id: b42424a6-10f4-447b-92a0-55ac38f4a475
requiredDataConnectors:
- connectorId: VeeamCustomTablesDataConnector
  dataTypes:
  - VeeamMalwareEvents_CL
version: 1.0.0
name: Malware Event Detected
tactics:
- Impact
description: Detects when restore points are marked as infected. This might indicate potential compromise of backup data.
query: VeeamMalwareEvents_CL
status: Available
queryPeriod: 5m
kind: Scheduled

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b42424a6-10f4-447b-92a0-55ac38f4a475')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b42424a6-10f4-447b-92a0-55ac38f4a475')]",
      "properties": {
        "alertRuleTemplateName": "b42424a6-10f4-447b-92a0-55ac38f4a475",
        "customDetails": {
          "BackupObjectId": "MachineBackupObjectId",
          "MachineDisplayName": "MachineDisplayName",
          "MachineUuid": "MachineUuid",
          "VbrHostName": "VbrHostName"
        },
        "description": "Detects when restore points are marked as infected. This might indicate potential compromise of backup data.",
        "displayName": "Malware Event Detected",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "VbrHostName",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Malware_Event_Detected.yaml",
        "query": "VeeamMalwareEvents_CL",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1486"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}