License Grace Period Started
| Id | e4828d99-bb06-40b3-8f9d-0f68fb61e9ee |
| Rulename | License Grace Period Started |
| Description | Detects when a Veeam license grace period starts. This might indicate potential licensing issues that need attention. |
| Severity | High |
| Required data connectors | Syslog SyslogAma |
| Kind | Scheduled |
| Query frequency | 3h |
| Query period | 3h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/License_Grace_Period_Started.yaml |
| Version | 1.0.1 |
| Arm template | e4828d99-bb06-40b3-8f9d-0f68fb61e9ee.json |
let license_editions_lookup = union isfuzzy=true (datatable(Edition:string, EditionDescription:string)[]), (_GetWatchlist("license_editions_lookup"));
let license_types_lookup = union isfuzzy=true (datatable(Type:string, TypeDescription:string)[]), (_GetWatchlist("license_types_lookup"));
Veeam_GetSecurityEvents
| where instanceId == 24060
| extend Edition = extract("Edition=\"([^\"]*)\"", 1, SyslogMessage)
| lookup kind=leftouter (license_editions_lookup)
on $left.Edition == $right.Edition
| extend Type = extract("Type=\"([^\"]*)\"", 1, SyslogMessage)
| lookup kind=leftouter (license_types_lookup)
on $left.Type == $right.Type
| extend TenantID = extract("TenantID=\"([^\"]*)\"", 1, SyslogMessage)
| extend DaysLeft = extract("DaysLeft=\"([^\"]*)\"", 1, SyslogMessage)
| extend SupportLeft = extract("SupportLeft=\"([^\"]*)\"", 1, SyslogMessage)
| project
Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),
DataSource = original_host,
EventId = instanceId,
["License Edition"] = EditionDescription,
["License Type"] = TypeDescription,
["Days Left"] = DaysLeft,
["Days of Support Left"] = SupportLeft,
MessageDetails = Description,
Severity = SeverityDescription
queryPeriod: 3h
query: |
let license_editions_lookup = union isfuzzy=true (datatable(Edition:string, EditionDescription:string)[]), (_GetWatchlist("license_editions_lookup"));
let license_types_lookup = union isfuzzy=true (datatable(Type:string, TypeDescription:string)[]), (_GetWatchlist("license_types_lookup"));
Veeam_GetSecurityEvents
| where instanceId == 24060
| extend Edition = extract("Edition=\"([^\"]*)\"", 1, SyslogMessage)
| lookup kind=leftouter (license_editions_lookup)
on $left.Edition == $right.Edition
| extend Type = extract("Type=\"([^\"]*)\"", 1, SyslogMessage)
| lookup kind=leftouter (license_types_lookup)
on $left.Type == $right.Type
| extend TenantID = extract("TenantID=\"([^\"]*)\"", 1, SyslogMessage)
| extend DaysLeft = extract("DaysLeft=\"([^\"]*)\"", 1, SyslogMessage)
| extend SupportLeft = extract("SupportLeft=\"([^\"]*)\"", 1, SyslogMessage)
| project
Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),
DataSource = original_host,
EventId = instanceId,
["License Edition"] = EditionDescription,
["License Type"] = TypeDescription,
["Days Left"] = DaysLeft,
["Days of Support Left"] = SupportLeft,
MessageDetails = Description,
Severity = SeverityDescription
name: License Grace Period Started
eventGroupingSettings:
aggregationKind: AlertPerResult
queryFrequency: 3h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/License_Grace_Period_Started.yaml
description: Detects when a Veeam license grace period starts. This might indicate potential licensing issues that need attention.
kind: Scheduled
version: 1.0.1
status: Available
severity: High
requiredDataConnectors:
- connectorId: Syslog
dataTypes:
- Syslog
- connectorId: SyslogAma
dataTypes:
- Syslog
triggerOperator: gt
triggerThreshold: 0
customDetails:
EventId: EventId
MessageDetails: MessageDetails
VbrHostName: DataSource
Date: Date
Severity: Severity
tactics: []
id: e4828d99-bb06-40b3-8f9d-0f68fb61e9ee
relevantTechniques: []