Coveware Security Finding Detected
Id | f2c3d7ea-8a9b-4f1c-2d3f-6a7b8c9d0e12 |
Rulename | Coveware Security Finding Detected |
Description | Detects when security findings from Coveware by Veeam appear. Security findings indicate potential threats, suspicious activities, or security events that need to be monitored. |
Severity | Medium |
Tactics | DefenseEvasion Impact CredentialAccess |
Techniques | T1078 T1562 T1485 |
Required data connectors | VeeamCustomTablesDataConnector |
Kind | Scheduled |
Query frequency | 5m |
Query period | 5m |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Coveware_Security_Finding_Detected.yaml |
Version | 1.0.0 |
Arm template | f2c3d7ea-8a9b-4f1c-2d3f-6a7b8c9d0e12.json |
VeeamCovewareFindings_CL
| project
CovewareHost = CovewareHostName,
TargetHostname = Hostname,
EventType = EventType,
TechniqueId = TechniqueId,
EventActivity = EventActivity,
Username = Username,
RiskLevel = RiskLevel,
TenantId = TenantId,
Artifact = Artifact,
Country = Country,
Md5Hash = Md5Hash,
Sha1Hash = Sha1Hash,
Sha256Hash = Sha256Hash
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Coveware_Security_Finding_Detected.yaml
triggerThreshold: 0
severity: Medium
queryFrequency: 5m
eventGroupingSettings:
aggregationKind: AlertPerResult
customDetails:
TenantId: TenantId
Date: Date
EventTime: EventTime
TargetHostname: TargetHostname
EventType: EventType
CovewareHost: CovewareHost
Artifact: Artifact
TechniqueId: TechniqueId
Username: Username
RiskLevel: RiskLevel
EventActivity: EventActivity
relevantTechniques:
- T1078
- T1562
- T1485
triggerOperator: gt
id: f2c3d7ea-8a9b-4f1c-2d3f-6a7b8c9d0e12
requiredDataConnectors:
- connectorId: VeeamCustomTablesDataConnector
dataTypes:
- VeeamCovewareFindings_CL
version: 1.0.0
name: Coveware Security Finding Detected
tactics:
- DefenseEvasion
- Impact
- CredentialAccess
description: Detects when security findings from Coveware by Veeam appear. Security findings indicate potential threats, suspicious activities, or security events that need to be monitored.
query: |
VeeamCovewareFindings_CL
| project
CovewareHost = CovewareHostName,
TargetHostname = Hostname,
EventType = EventType,
TechniqueId = TechniqueId,
EventActivity = EventActivity,
Username = Username,
RiskLevel = RiskLevel,
TenantId = TenantId,
Artifact = Artifact,
Country = Country,
Md5Hash = Md5Hash,
Sha1Hash = Sha1Hash,
Sha256Hash = Sha256Hash
status: Available
queryPeriod: 5m
kind: Scheduled
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f2c3d7ea-8a9b-4f1c-2d3f-6a7b8c9d0e12')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f2c3d7ea-8a9b-4f1c-2d3f-6a7b8c9d0e12')]",
"properties": {
"alertRuleTemplateName": "f2c3d7ea-8a9b-4f1c-2d3f-6a7b8c9d0e12",
"customDetails": {
"Artifact": "Artifact",
"CovewareHost": "CovewareHost",
"Date": "Date",
"EventActivity": "EventActivity",
"EventTime": "EventTime",
"EventType": "EventType",
"RiskLevel": "RiskLevel",
"TargetHostname": "TargetHostname",
"TechniqueId": "TechniqueId",
"TenantId": "TenantId",
"Username": "Username"
},
"description": "Detects when security findings from Coveware by Veeam appear. Security findings indicate potential threats, suspicious activities, or security events that need to be monitored.",
"displayName": "Coveware Security Finding Detected",
"enabled": true,
"entityMappings": null,
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Veeam/Analytic Rules/Coveware_Security_Finding_Detected.yaml",
"query": "VeeamCovewareFindings_CL\n| project\n CovewareHost = CovewareHostName,\n TargetHostname = Hostname,\n EventType = EventType,\n TechniqueId = TechniqueId,\n EventActivity = EventActivity,\n Username = Username,\n RiskLevel = RiskLevel,\n TenantId = TenantId,\n Artifact = Artifact,\n Country = Country,\n Md5Hash = Md5Hash,\n Sha1Hash = Sha1Hash,\n Sha256Hash = Sha256Hash\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CredentialAccess",
"DefenseEvasion",
"Impact"
],
"techniques": [
"T1078",
"T1485",
"T1562"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}