Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Malware Detection Settings Updated

Back
Ideffd8410-3119-41c8-a228-9c0c8ce10d67
RulenameMalware Detection Settings Updated
DescriptionDetects when malware detection settings are updated.
SeverityHigh
TacticsDefenseEvasion
Impact
TechniquesT1562.001
T1486
Required data connectorsSyslog
SyslogAma
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Malware_Detection_Settings_Updated.yaml
Version1.0.0
Arm templateeffd8410-3119-41c8-a228-9c0c8ce10d67.json
Deploy To Azure
Veeam_GetSecurityEvents
| where instanceId == 42290
| project
    Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),
    DataSource = original_host,
    EventId = instanceId,
    ["User Name"] = user,
  MessageDetails = Description,
   Severity = SeverityDescription
tactics:
- DefenseEvasion
- Impact
name: Malware Detection Settings Updated
id: effd8410-3119-41c8-a228-9c0c8ce10d67
requiredDataConnectors:
- connectorId: Syslog
  dataTypes:
  - Syslog
- connectorId: SyslogAma
  dataTypes:
  - Syslog
query: |-
  Veeam_GetSecurityEvents
  | where instanceId == 42290
  | project
      Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),
      DataSource = original_host,
      EventId = instanceId,
      ["User Name"] = user,
    MessageDetails = Description,
     Severity = SeverityDescription  
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1562.001
- T1486
description: Detects when malware detection settings are updated.
triggerOperator: gt
queryPeriod: 5m
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Malware_Detection_Settings_Updated.yaml
version: 1.0.0
triggerThreshold: 0
kind: Scheduled
queryFrequency: 5m
status: Available
customDetails:
  VbrHostName: DataSource
  EventId: EventId
  Severity: Severity
  Date: Date
  MessageDetails: MessageDetails
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/effd8410-3119-41c8-a228-9c0c8ce10d67')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/effd8410-3119-41c8-a228-9c0c8ce10d67')]",
      "properties": {
        "alertRuleTemplateName": "effd8410-3119-41c8-a228-9c0c8ce10d67",
        "customDetails": {
          "Date": "Date",
          "EventId": "EventId",
          "MessageDetails": "MessageDetails",
          "Severity": "Severity",
          "VbrHostName": "DataSource"
        },
        "description": "Detects when malware detection settings are updated.",
        "displayName": "Malware Detection Settings Updated",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Malware_Detection_Settings_Updated.yaml",
        "query": "Veeam_GetSecurityEvents\n| where instanceId == 42290\n| project\n    Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),\n    DataSource = original_host,\n    EventId = instanceId,\n    [\"User Name\"] = user,\n  MessageDetails = Description,\n   Severity = SeverityDescription",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [
          "T1562.001"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "Impact"
        ],
        "techniques": [
          "T1486",
          "T1562"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}