{ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "workspace": { "type": "String" } }, "resources": [ { "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/680a37bf-0c89-4bd0-bb0a-7682fca6646e')]", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/680a37bf-0c89-4bd0-bb0a-7682fca6646e')]", "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", "kind": "Scheduled", "apiVersion": "2023-12-01-preview", "properties": { "displayName": "Kasten RestorePoint resources manually deleted", "description": "", "severity": "High", "enabled": true, "query": "ContainerLogV2\n| where PodName startswith \"aggregatedapis-svc\"\n| extend LogMessage_ = parse_json(LogMessage)\n| where LogMessage_.ObjectRef.Resource contains \"restorepoint\"\n| where LogMessage_.Verb == \"delete\"\n| where LogMessage_.UserAgent !startswith \"garbagecollector\"\n| extend Username_ = LogMessage_.User.username\n| where Username_ != \"system:serviceaccount:kube-system:namespace-controller\"", "queryFrequency": "PT5M", "queryPeriod": "PT5M", "triggerOperator": "GreaterThan", "triggerThreshold": 0, "suppressionDuration": "PT5H", "suppressionEnabled": false, "startTimeUtc": null, "tactics": [ "Impact" ], "techniques": [], "alertRuleTemplateName": null, "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { "enabled": true, "reopenClosedIncident": false, "lookbackDuration": "PT5H", "matchingMethod": "AllEntities", "groupByEntities": [], "groupByAlertDetails": [], "groupByCustomDetails": [] } }, "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, "alertDetailsOverride": { "alertDisplayNameFormat": "K10 resources deleted by {{Username_}} ", "alertDescriptionFormat": "Kasten backup data resources unexpectedly deleted by {{Username_}} on cluster: {{_ResourceId}}\n\n# Event\n{{LogMessage_}} \n\n# Goal\n\nDetect when Kasten `ClusterRestorePointContents`, `RestorePointContents`, or `RestorePoints` resources (representing Kubernetes backups)\nare being manually deleted by a user. This could be an indication that the\nenvironment has been compromised and Kasten backups are being deleted to\nprevent system recovery following an attack.\n\n# Strategy\n\nMonitor Kubernetes Audit logs to detect when a single user or non-Kasten\nservice account deletes Kasten resources beyond the defined\nthreshold.\n\n# Triage and response\n\n1. Determine if the user should be retiring backup data on cluster.\n2. If the action is legitimate, close alert with appropriate status.\n3. Otherwise, use Sentinel to see if the user has taken other actions.\n4. If the results of the triage indicate that an attacker has taken the\naction, begin your company's incident response process and investigation.\n5. If restoring applications from deleted RestorePointContents (RPCs) is\nrequired on this cluster, see [Recovering K10 From a Disaster](https://docs.kasten.io/latest/operating/dr#recovering-k10-from-a-disaster) for more\ninformation.", "alertDynamicProperties": [] }, "customDetails": {}, "entityMappings": [ { "entityType": "AzureResource", "fieldMappings": [ { "identifier": "ResourceId", "columnName": "_ResourceId" } ] } ], "sentinelEntitiesMappings": null, "templateVersion": null, "subTechniques": [] } } ] }