Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

License Grace Period Started

Back
Ide4828d99-bb06-40b3-8f9d-0f68fb61e9ee
RulenameLicense Grace Period Started
DescriptionDetects when a Veeam license grace period starts. This might indicate potential licensing issues that need attention.
SeverityHigh
TacticsImpact
TechniquesT1489
Required data connectorsSyslog
SyslogAma
KindScheduled
Query frequency3h
Query period3h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/License_Grace_Period_Started.yaml
Version1.0.0
Arm templatee4828d99-bb06-40b3-8f9d-0f68fb61e9ee.json
Deploy To Azure
let license_editions_lookup = union isfuzzy=true (datatable(Edition:string, EditionDescription:string)[]), (_GetWatchlist("license_editions_lookup")); 
let license_types_lookup = union isfuzzy=true (datatable(Type:string, TypeDescription:string)[]), (_GetWatchlist("license_types_lookup")); 
Veeam_GetSecurityEvents
| where instanceId == 24060
| extend Edition = extract("Edition=\"([^\"]*)\"", 1, SyslogMessage)
| lookup kind=leftouter (license_editions_lookup) 
    on $left.Edition == $right.Edition
| extend Type = extract("Type=\"([^\"]*)\"", 1, SyslogMessage)
| lookup kind=leftouter (license_types_lookup) 
    on $left.Type == $right.Type
| extend TenantID = extract("TenantID=\"([^\"]*)\"", 1, SyslogMessage)
| extend DaysLeft = extract("DaysLeft=\"([^\"]*)\"", 1, SyslogMessage)
| extend SupportLeft = extract("SupportLeft=\"([^\"]*)\"", 1, SyslogMessage)
| project
    Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),
    DataSource = original_host,
    EventId = instanceId,
    ["License Edition"] = EditionDescription,
    ["License Type"] = TypeDescription,
    ["Days Left"] = DaysLeft,
    ["Days of Support Left"] = SupportLeft,
    MessageDetails = Description,
    Severity = SeverityDescription
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/License_Grace_Period_Started.yaml
triggerThreshold: 0
severity: High
queryFrequency: 3h
eventGroupingSettings:
  aggregationKind: AlertPerResult
customDetails:
  EventId: EventId
  Date: Date
  Severity: Severity
  MessageDetails: MessageDetails
  VbrHostName: DataSource
relevantTechniques:
- T1489
triggerOperator: gt
id: e4828d99-bb06-40b3-8f9d-0f68fb61e9ee
requiredDataConnectors:
- connectorId: Syslog
  dataTypes:
  - Syslog
- connectorId: SyslogAma
  dataTypes:
  - Syslog
version: 1.0.0
name: License Grace Period Started
tactics:
- Impact
description: Detects when a Veeam license grace period starts. This might indicate potential licensing issues that need attention.
query: |
  let license_editions_lookup = union isfuzzy=true (datatable(Edition:string, EditionDescription:string)[]), (_GetWatchlist("license_editions_lookup")); 
  let license_types_lookup = union isfuzzy=true (datatable(Type:string, TypeDescription:string)[]), (_GetWatchlist("license_types_lookup")); 
  Veeam_GetSecurityEvents
  | where instanceId == 24060
  | extend Edition = extract("Edition=\"([^\"]*)\"", 1, SyslogMessage)
  | lookup kind=leftouter (license_editions_lookup) 
      on $left.Edition == $right.Edition
  | extend Type = extract("Type=\"([^\"]*)\"", 1, SyslogMessage)
  | lookup kind=leftouter (license_types_lookup) 
      on $left.Type == $right.Type
  | extend TenantID = extract("TenantID=\"([^\"]*)\"", 1, SyslogMessage)
  | extend DaysLeft = extract("DaysLeft=\"([^\"]*)\"", 1, SyslogMessage)
  | extend SupportLeft = extract("SupportLeft=\"([^\"]*)\"", 1, SyslogMessage)
  | project
      Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),
      DataSource = original_host,
      EventId = instanceId,
      ["License Edition"] = EditionDescription,
      ["License Type"] = TypeDescription,
      ["Days Left"] = DaysLeft,
      ["Days of Support Left"] = SupportLeft,
      MessageDetails = Description,
      Severity = SeverityDescription  
status: Available
queryPeriod: 3h
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e4828d99-bb06-40b3-8f9d-0f68fb61e9ee')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e4828d99-bb06-40b3-8f9d-0f68fb61e9ee')]",
      "properties": {
        "alertRuleTemplateName": "e4828d99-bb06-40b3-8f9d-0f68fb61e9ee",
        "customDetails": {
          "Date": "Date",
          "EventId": "EventId",
          "MessageDetails": "MessageDetails",
          "Severity": "Severity",
          "VbrHostName": "DataSource"
        },
        "description": "Detects when a Veeam license grace period starts. This might indicate potential licensing issues that need attention.",
        "displayName": "License Grace Period Started",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/License_Grace_Period_Started.yaml",
        "query": "let license_editions_lookup = union isfuzzy=true (datatable(Edition:string, EditionDescription:string)[]), (_GetWatchlist(\"license_editions_lookup\")); \nlet license_types_lookup = union isfuzzy=true (datatable(Type:string, TypeDescription:string)[]), (_GetWatchlist(\"license_types_lookup\")); \nVeeam_GetSecurityEvents\n| where instanceId == 24060\n| extend Edition = extract(\"Edition=\\\"([^\\\"]*)\\\"\", 1, SyslogMessage)\n| lookup kind=leftouter (license_editions_lookup) \n    on $left.Edition == $right.Edition\n| extend Type = extract(\"Type=\\\"([^\\\"]*)\\\"\", 1, SyslogMessage)\n| lookup kind=leftouter (license_types_lookup) \n    on $left.Type == $right.Type\n| extend TenantID = extract(\"TenantID=\\\"([^\\\"]*)\\\"\", 1, SyslogMessage)\n| extend DaysLeft = extract(\"DaysLeft=\\\"([^\\\"]*)\\\"\", 1, SyslogMessage)\n| extend SupportLeft = extract(\"SupportLeft=\\\"([^\\\"]*)\\\"\", 1, SyslogMessage)\n| project\n    Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),\n    DataSource = original_host,\n    EventId = instanceId,\n    [\"License Edition\"] = EditionDescription,\n    [\"License Type\"] = TypeDescription,\n    [\"Days Left\"] = DaysLeft,\n    [\"Days of Support Left\"] = SupportLeft,\n    MessageDetails = Description,\n    Severity = SeverityDescription\n",
        "queryFrequency": "PT3H",
        "queryPeriod": "PT3H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1489"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}