Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Coveware Security Finding Detected

Back
Idf2c3d7ea-8a9b-4f1c-2d3f-6a7b8c9d0e12
RulenameCoveware Security Finding Detected
DescriptionDetects when security findings from Coveware by Veeam appear. Security findings indicate potential threats, suspicious activities, or security events that need to be monitored.
SeverityMedium
TacticsDefenseEvasion
Impact
CredentialAccess
TechniquesT1078
T1562
T1485
Required data connectorsVeeamCustomTablesDataConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Coveware_Security_Finding_Detected.yaml
Version1.0.0
Arm templatef2c3d7ea-8a9b-4f1c-2d3f-6a7b8c9d0e12.json
Deploy To Azure
VeeamCovewareFindings_CL
| project
    CovewareHost = CovewareHostName,
    TargetHostname = Hostname,
    EventType = EventType,
    TechniqueId = TechniqueId,
    EventActivity = EventActivity,
    Username = Username,
    RiskLevel = RiskLevel,
    TenantId = TenantId,
    Artifact = Artifact,
    Country = Country,
    Md5Hash = Md5Hash,
    Sha1Hash = Sha1Hash,
    Sha256Hash = Sha256Hash
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Coveware_Security_Finding_Detected.yaml
triggerThreshold: 0
severity: Medium
queryFrequency: 5m
eventGroupingSettings:
  aggregationKind: AlertPerResult
customDetails:
  TenantId: TenantId
  Date: Date
  EventTime: EventTime
  TargetHostname: TargetHostname
  EventType: EventType
  CovewareHost: CovewareHost
  Artifact: Artifact
  TechniqueId: TechniqueId
  Username: Username
  RiskLevel: RiskLevel
  EventActivity: EventActivity
relevantTechniques:
- T1078
- T1562
- T1485
triggerOperator: gt
id: f2c3d7ea-8a9b-4f1c-2d3f-6a7b8c9d0e12
requiredDataConnectors:
- connectorId: VeeamCustomTablesDataConnector
  dataTypes:
  - VeeamCovewareFindings_CL
version: 1.0.0
name: Coveware Security Finding Detected
tactics:
- DefenseEvasion
- Impact
- CredentialAccess
description: Detects when security findings from Coveware by Veeam appear. Security findings indicate potential threats, suspicious activities, or security events that need to be monitored.
query: |
  VeeamCovewareFindings_CL
  | project
      CovewareHost = CovewareHostName,
      TargetHostname = Hostname,
      EventType = EventType,
      TechniqueId = TechniqueId,
      EventActivity = EventActivity,
      Username = Username,
      RiskLevel = RiskLevel,
      TenantId = TenantId,
      Artifact = Artifact,
      Country = Country,
      Md5Hash = Md5Hash,
      Sha1Hash = Sha1Hash,
      Sha256Hash = Sha256Hash  
status: Available
queryPeriod: 5m
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f2c3d7ea-8a9b-4f1c-2d3f-6a7b8c9d0e12')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f2c3d7ea-8a9b-4f1c-2d3f-6a7b8c9d0e12')]",
      "properties": {
        "alertRuleTemplateName": "f2c3d7ea-8a9b-4f1c-2d3f-6a7b8c9d0e12",
        "customDetails": {
          "Artifact": "Artifact",
          "CovewareHost": "CovewareHost",
          "Date": "Date",
          "EventActivity": "EventActivity",
          "EventTime": "EventTime",
          "EventType": "EventType",
          "RiskLevel": "RiskLevel",
          "TargetHostname": "TargetHostname",
          "TechniqueId": "TechniqueId",
          "TenantId": "TenantId",
          "Username": "Username"
        },
        "description": "Detects when security findings from Coveware by Veeam appear. Security findings indicate potential threats, suspicious activities, or security events that need to be monitored.",
        "displayName": "Coveware Security Finding Detected",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Coveware_Security_Finding_Detected.yaml",
        "query": "VeeamCovewareFindings_CL\n| project\n    CovewareHost = CovewareHostName,\n    TargetHostname = Hostname,\n    EventType = EventType,\n    TechniqueId = TechniqueId,\n    EventActivity = EventActivity,\n    Username = Username,\n    RiskLevel = RiskLevel,\n    TenantId = TenantId,\n    Artifact = Artifact,\n    Country = Country,\n    Md5Hash = Md5Hash,\n    Sha1Hash = Sha1Hash,\n    Sha256Hash = Sha256Hash\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "DefenseEvasion",
          "Impact"
        ],
        "techniques": [
          "T1078",
          "T1485",
          "T1562"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}