Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

License Grace Period Started

Back
Ide4828d99-bb06-40b3-8f9d-0f68fb61e9ee
RulenameLicense Grace Period Started
DescriptionDetects when a Veeam license grace period starts. This might indicate potential licensing issues that need attention.
SeverityHigh
TacticsImpact
TechniquesT1489
Required data connectorsSyslog
SyslogAma
KindScheduled
Query frequency3h
Query period3h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/License_Grace_Period_Started.yaml
Version1.0.0
Arm templatee4828d99-bb06-40b3-8f9d-0f68fb61e9ee.json
Deploy To Azure
let license_editions_lookup = union isfuzzy=true (datatable(Edition:string, EditionDescription:string)[]), (_GetWatchlist("license_editions_lookup")); 
let license_types_lookup = union isfuzzy=true (datatable(Type:string, TypeDescription:string)[]), (_GetWatchlist("license_types_lookup")); 
Veeam_GetSecurityEvents
| where instanceId == 24060
| extend Edition = extract("Edition=\"([^\"]*)\"", 1, SyslogMessage)
| lookup kind=leftouter (license_editions_lookup) 
    on $left.Edition == $right.Edition
| extend Type = extract("Type=\"([^\"]*)\"", 1, SyslogMessage)
| lookup kind=leftouter (license_types_lookup) 
    on $left.Type == $right.Type
| extend TenantID = extract("TenantID=\"([^\"]*)\"", 1, SyslogMessage)
| extend DaysLeft = extract("DaysLeft=\"([^\"]*)\"", 1, SyslogMessage)
| extend SupportLeft = extract("SupportLeft=\"([^\"]*)\"", 1, SyslogMessage)
| project
    Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),
    DataSource = original_host,
    EventId = instanceId,
    ["License Edition"] = EditionDescription,
    ["License Type"] = TypeDescription,
    ["Days Left"] = DaysLeft,
    ["Days of Support Left"] = SupportLeft,
    MessageDetails = Description,
    Severity = SeverityDescription
tactics:
- Impact
name: License Grace Period Started
id: e4828d99-bb06-40b3-8f9d-0f68fb61e9ee
requiredDataConnectors:
- connectorId: Syslog
  dataTypes:
  - Syslog
- connectorId: SyslogAma
  dataTypes:
  - Syslog
query: |
  let license_editions_lookup = union isfuzzy=true (datatable(Edition:string, EditionDescription:string)[]), (_GetWatchlist("license_editions_lookup")); 
  let license_types_lookup = union isfuzzy=true (datatable(Type:string, TypeDescription:string)[]), (_GetWatchlist("license_types_lookup")); 
  Veeam_GetSecurityEvents
  | where instanceId == 24060
  | extend Edition = extract("Edition=\"([^\"]*)\"", 1, SyslogMessage)
  | lookup kind=leftouter (license_editions_lookup) 
      on $left.Edition == $right.Edition
  | extend Type = extract("Type=\"([^\"]*)\"", 1, SyslogMessage)
  | lookup kind=leftouter (license_types_lookup) 
      on $left.Type == $right.Type
  | extend TenantID = extract("TenantID=\"([^\"]*)\"", 1, SyslogMessage)
  | extend DaysLeft = extract("DaysLeft=\"([^\"]*)\"", 1, SyslogMessage)
  | extend SupportLeft = extract("SupportLeft=\"([^\"]*)\"", 1, SyslogMessage)
  | project
      Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),
      DataSource = original_host,
      EventId = instanceId,
      ["License Edition"] = EditionDescription,
      ["License Type"] = TypeDescription,
      ["Days Left"] = DaysLeft,
      ["Days of Support Left"] = SupportLeft,
      MessageDetails = Description,
      Severity = SeverityDescription  
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1489
description: Detects when a Veeam license grace period starts. This might indicate potential licensing issues that need attention.
triggerOperator: gt
queryPeriod: 3h
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/License_Grace_Period_Started.yaml
version: 1.0.0
triggerThreshold: 0
kind: Scheduled
queryFrequency: 3h
status: Available
customDetails:
  VbrHostName: DataSource
  EventId: EventId
  Severity: Severity
  Date: Date
  MessageDetails: MessageDetails
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e4828d99-bb06-40b3-8f9d-0f68fb61e9ee')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e4828d99-bb06-40b3-8f9d-0f68fb61e9ee')]",
      "properties": {
        "alertRuleTemplateName": "e4828d99-bb06-40b3-8f9d-0f68fb61e9ee",
        "customDetails": {
          "Date": "Date",
          "EventId": "EventId",
          "MessageDetails": "MessageDetails",
          "Severity": "Severity",
          "VbrHostName": "DataSource"
        },
        "description": "Detects when a Veeam license grace period starts. This might indicate potential licensing issues that need attention.",
        "displayName": "License Grace Period Started",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/License_Grace_Period_Started.yaml",
        "query": "let license_editions_lookup = union isfuzzy=true (datatable(Edition:string, EditionDescription:string)[]), (_GetWatchlist(\"license_editions_lookup\")); \nlet license_types_lookup = union isfuzzy=true (datatable(Type:string, TypeDescription:string)[]), (_GetWatchlist(\"license_types_lookup\")); \nVeeam_GetSecurityEvents\n| where instanceId == 24060\n| extend Edition = extract(\"Edition=\\\"([^\\\"]*)\\\"\", 1, SyslogMessage)\n| lookup kind=leftouter (license_editions_lookup) \n    on $left.Edition == $right.Edition\n| extend Type = extract(\"Type=\\\"([^\\\"]*)\\\"\", 1, SyslogMessage)\n| lookup kind=leftouter (license_types_lookup) \n    on $left.Type == $right.Type\n| extend TenantID = extract(\"TenantID=\\\"([^\\\"]*)\\\"\", 1, SyslogMessage)\n| extend DaysLeft = extract(\"DaysLeft=\\\"([^\\\"]*)\\\"\", 1, SyslogMessage)\n| extend SupportLeft = extract(\"SupportLeft=\\\"([^\\\"]*)\\\"\", 1, SyslogMessage)\n| project\n    Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),\n    DataSource = original_host,\n    EventId = instanceId,\n    [\"License Edition\"] = EditionDescription,\n    [\"License Type\"] = TypeDescription,\n    [\"Days Left\"] = DaysLeft,\n    [\"Days of Support Left\"] = SupportLeft,\n    MessageDetails = Description,\n    Severity = SeverityDescription\n",
        "queryFrequency": "PT3H",
        "queryPeriod": "PT3H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1489"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}