Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

SureBackup Job Failed

Back
Idb7409bbb-6f0c-43c4-bb63-b20add5eb717
RulenameSureBackup Job Failed
DescriptionDetects failed SureBackup job operations. This might indicate malware issues, storage problems, or potential sabotage of backup infrastructure.
SeverityHigh
TacticsDefenseEvasion
Impact
TechniquesT1562
T1490
Required data connectorsSyslog
SyslogAma
KindScheduled
Query frequency3h
Query period3h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/SureBackup_Job_Failed.yaml
Version1.0.0
Arm templateb7409bbb-6f0c-43c4-bb63-b20add5eb717.json
Deploy To Azure
Veeam_GetJobFinished
| where instanceId == 390
| project
    Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),
    DataSource = original_host,
    EventId = instanceId,
    ["StateMessage"] = JobTypeDescription,
    ["State"] = JobResultMessage,
    Severity = Severity,
    MessageDetails = Description
tactics:
- DefenseEvasion
- Impact
name: SureBackup Job Failed
id: b7409bbb-6f0c-43c4-bb63-b20add5eb717
requiredDataConnectors:
- connectorId: Syslog
  dataTypes:
  - Syslog
- connectorId: SyslogAma
  dataTypes:
  - Syslog
query: |-
  Veeam_GetJobFinished
  | where instanceId == 390
  | project
      Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),
      DataSource = original_host,
      EventId = instanceId,
      ["StateMessage"] = JobTypeDescription,
      ["State"] = JobResultMessage,
      Severity = Severity,
      MessageDetails = Description  
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1562
- T1490
description: Detects failed SureBackup job operations. This might indicate malware issues, storage problems, or potential sabotage of backup infrastructure.
triggerOperator: gt
queryPeriod: 3h
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/SureBackup_Job_Failed.yaml
version: 1.0.0
triggerThreshold: 0
kind: Scheduled
queryFrequency: 3h
status: Available
customDetails:
  VbrHostName: DataSource
  EventId: EventId
  Severity: Severity
  Date: Date
  MessageDetails: MessageDetails
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b7409bbb-6f0c-43c4-bb63-b20add5eb717')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b7409bbb-6f0c-43c4-bb63-b20add5eb717')]",
      "properties": {
        "alertRuleTemplateName": "b7409bbb-6f0c-43c4-bb63-b20add5eb717",
        "customDetails": {
          "Date": "Date",
          "EventId": "EventId",
          "MessageDetails": "MessageDetails",
          "Severity": "Severity",
          "VbrHostName": "DataSource"
        },
        "description": "Detects failed SureBackup job operations. This might indicate malware issues, storage problems, or potential sabotage of backup infrastructure.",
        "displayName": "SureBackup Job Failed",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/SureBackup_Job_Failed.yaml",
        "query": "Veeam_GetJobFinished\n| where instanceId == 390\n| project\n    Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),\n    DataSource = original_host,\n    EventId = instanceId,\n    [\"StateMessage\"] = JobTypeDescription,\n    [\"State\"] = JobResultMessage,\n    Severity = Severity,\n    MessageDetails = Description",
        "queryFrequency": "PT3H",
        "queryPeriod": "PT3H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "Impact"
        ],
        "techniques": [
          "T1490",
          "T1562"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}