Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Coveware Security Finding Detected

Back
Idf2c3d7ea-8a9b-4f1c-2d3f-6a7b8c9d0e12
RulenameCoveware Security Finding Detected
DescriptionDetects when security findings from Coveware by Veeam appear. Security findings indicate potential threats, suspicious activities, or security events that need to be monitored.
SeverityMedium
TacticsDefenseEvasion
Impact
CredentialAccess
TechniquesT1078
T1562
T1485
Required data connectorsVeeamCustomTablesDataConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Coveware_Security_Finding_Detected.yaml
Version1.0.1
Arm templatef2c3d7ea-8a9b-4f1c-2d3f-6a7b8c9d0e12.json
Deploy To Azure
VeeamCovewareFindings_CL
| project
    Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),
    CovewareHost = CovewareHostName,
    TargetHostname = Hostname,
    EventType = EventType,
    TechniqueId = TechniqueId,
    EventActivity = EventActivity,
    Username = Username,
    RiskLevel = RiskLevel,
    TenantId = TenantId,
    Artifact = Artifact,
    Country = Country,
    Md5Hash = Md5Hash,
    Sha1Hash = Sha1Hash,
    Sha256Hash = Sha256Hash, 
    EventTime = EventTime
tactics:
- DefenseEvasion
- Impact
- CredentialAccess
name: Coveware Security Finding Detected
id: f2c3d7ea-8a9b-4f1c-2d3f-6a7b8c9d0e12
requiredDataConnectors:
- connectorId: VeeamCustomTablesDataConnector
  dataTypes:
  - VeeamCovewareFindings_CL
query: |
  VeeamCovewareFindings_CL
  | project
      Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),
      CovewareHost = CovewareHostName,
      TargetHostname = Hostname,
      EventType = EventType,
      TechniqueId = TechniqueId,
      EventActivity = EventActivity,
      Username = Username,
      RiskLevel = RiskLevel,
      TenantId = TenantId,
      Artifact = Artifact,
      Country = Country,
      Md5Hash = Md5Hash,
      Sha1Hash = Sha1Hash,
      Sha256Hash = Sha256Hash, 
      EventTime = EventTime  
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1078
- T1562
- T1485
description: Detects when security findings from Coveware by Veeam appear. Security findings indicate potential threats, suspicious activities, or security events that need to be monitored.
triggerOperator: gt
queryPeriod: 5m
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Coveware_Security_Finding_Detected.yaml
version: 1.0.1
triggerThreshold: 0
kind: Scheduled
queryFrequency: 5m
status: Available
customDetails:
  EventType: EventType
  Artifact: Artifact
  RiskLevel: RiskLevel
  CovewareHost: CovewareHost
  Date: Date
  TenantId: TenantId
  EventActivity: EventActivity
  Username: Username
  TargetHostname: TargetHostname
  TechniqueId: TechniqueId
  EventTime: EventTime
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f2c3d7ea-8a9b-4f1c-2d3f-6a7b8c9d0e12')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f2c3d7ea-8a9b-4f1c-2d3f-6a7b8c9d0e12')]",
      "properties": {
        "alertRuleTemplateName": "f2c3d7ea-8a9b-4f1c-2d3f-6a7b8c9d0e12",
        "customDetails": {
          "Artifact": "Artifact",
          "CovewareHost": "CovewareHost",
          "Date": "Date",
          "EventActivity": "EventActivity",
          "EventTime": "EventTime",
          "EventType": "EventType",
          "RiskLevel": "RiskLevel",
          "TargetHostname": "TargetHostname",
          "TechniqueId": "TechniqueId",
          "TenantId": "TenantId",
          "Username": "Username"
        },
        "description": "Detects when security findings from Coveware by Veeam appear. Security findings indicate potential threats, suspicious activities, or security events that need to be monitored.",
        "displayName": "Coveware Security Finding Detected",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Coveware_Security_Finding_Detected.yaml",
        "query": "VeeamCovewareFindings_CL\n| project\n    Date = format_datetime(TimeGenerated, 'dd.MM.yyyy HH:mm'),\n    CovewareHost = CovewareHostName,\n    TargetHostname = Hostname,\n    EventType = EventType,\n    TechniqueId = TechniqueId,\n    EventActivity = EventActivity,\n    Username = Username,\n    RiskLevel = RiskLevel,\n    TenantId = TenantId,\n    Artifact = Artifact,\n    Country = Country,\n    Md5Hash = Md5Hash,\n    Sha1Hash = Sha1Hash,\n    Sha256Hash = Sha256Hash, \n    EventTime = EventTime\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "DefenseEvasion",
          "Impact"
        ],
        "techniques": [
          "T1078",
          "T1485",
          "T1562"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}