Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

SureBackup Job Failed

Back
Idb7409bbb-6f0c-43c4-bb63-b20add5eb717
RulenameSureBackup Job Failed
DescriptionDetects failed SureBackup job operations. This might indicate malware issues, storage problems, or potential sabotage of backup infrastructure.
SeverityHigh
TacticsDefenseEvasion
Impact
TechniquesT1562
T1490
Required data connectorsSyslog
SyslogAma
KindScheduled
Query frequency3h
Query period3h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/SureBackup_Job_Failed.yaml
Version1.0.0
Arm templateb7409bbb-6f0c-43c4-bb63-b20add5eb717.json
Deploy To Azure
Veeam_GetJobFinished
| where instanceId == 390
| project
    Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),
    DataSource = original_host,
    EventId = instanceId,
    ["StateMessage"] = JobTypeDescription,
    ["State"] = JobResultMessage,
    Severity = Severity,
    MessageDetails = Description
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/SureBackup_Job_Failed.yaml
triggerThreshold: 0
severity: High
queryFrequency: 3h
eventGroupingSettings:
  aggregationKind: AlertPerResult
customDetails:
  EventId: EventId
  Date: Date
  Severity: Severity
  MessageDetails: MessageDetails
  VbrHostName: DataSource
relevantTechniques:
- T1562
- T1490
triggerOperator: gt
id: b7409bbb-6f0c-43c4-bb63-b20add5eb717
requiredDataConnectors:
- connectorId: Syslog
  dataTypes:
  - Syslog
- connectorId: SyslogAma
  dataTypes:
  - Syslog
version: 1.0.0
name: SureBackup Job Failed
tactics:
- DefenseEvasion
- Impact
description: Detects failed SureBackup job operations. This might indicate malware issues, storage problems, or potential sabotage of backup infrastructure.
query: |-
  Veeam_GetJobFinished
  | where instanceId == 390
  | project
      Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),
      DataSource = original_host,
      EventId = instanceId,
      ["StateMessage"] = JobTypeDescription,
      ["State"] = JobResultMessage,
      Severity = Severity,
      MessageDetails = Description  
status: Available
queryPeriod: 3h
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b7409bbb-6f0c-43c4-bb63-b20add5eb717')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b7409bbb-6f0c-43c4-bb63-b20add5eb717')]",
      "properties": {
        "alertRuleTemplateName": "b7409bbb-6f0c-43c4-bb63-b20add5eb717",
        "customDetails": {
          "Date": "Date",
          "EventId": "EventId",
          "MessageDetails": "MessageDetails",
          "Severity": "Severity",
          "VbrHostName": "DataSource"
        },
        "description": "Detects failed SureBackup job operations. This might indicate malware issues, storage problems, or potential sabotage of backup infrastructure.",
        "displayName": "SureBackup Job Failed",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/SureBackup_Job_Failed.yaml",
        "query": "Veeam_GetJobFinished\n| where instanceId == 390\n| project\n    Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),\n    DataSource = original_host,\n    EventId = instanceId,\n    [\"StateMessage\"] = JobTypeDescription,\n    [\"State\"] = JobResultMessage,\n    Severity = Severity,\n    MessageDetails = Description",
        "queryFrequency": "PT3H",
        "queryPeriod": "PT3H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "Impact"
        ],
        "techniques": [
          "T1490",
          "T1562"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}