Cisco SE - Ransomware Activity

Back


Id	c9629114-0f49-4b50-9f1b-345287b2eebf
Rulename	Cisco SE - Ransomware Activity
Description	This rule is triggered when possible ransomware activity is detected on host.
Severity	High
Tactics	Impact
Techniques	T1486
Required data connectors	CiscoSecureEndpoint
Kind	Scheduled
Query frequency	15m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSERansomwareActivityOnHost copy.yaml
Version	1.0.0
Arm template	c9629114-0f49-4b50-9f1b-345287b2eebf.json

KQL

CiscoSecureEndpoint
| where EventMessage has 'Suspected ransomware'
| extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName

YAML

relevantTechniques:
- T1486
queryPeriod: 15m
tactics:
- Impact
requiredDataConnectors:
- dataTypes:
  - CiscoSecureEndpoint
  connectorId: CiscoSecureEndpoint
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: HostCustomEntity
  entityType: Host
- fieldMappings:
  - identifier: Name
    columnName: MalwareCustomEntity
  entityType: Malware
name: Cisco SE - Ransomware Activity
status: Available
query: |
  CiscoSecureEndpoint
  | where EventMessage has 'Suspected ransomware'
  | extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName  
queryFrequency: 15m
id: c9629114-0f49-4b50-9f1b-345287b2eebf
severity: High
description: |
    'This rule is triggered when possible ransomware activity is detected on host.'
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSERansomwareActivityOnHost copy.yaml
kind: Scheduled
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c9629114-0f49-4b50-9f1b-345287b2eebf')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c9629114-0f49-4b50-9f1b-345287b2eebf')]",
      "properties": {
        "alertRuleTemplateName": "c9629114-0f49-4b50-9f1b-345287b2eebf",
        "customDetails": null,
        "description": "'This rule is triggered when possible ransomware activity is detected on host.'\n",
        "displayName": "Cisco SE - Ransomware Activity",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "Malware",
            "fieldMappings": [
              {
                "columnName": "MalwareCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSERansomwareActivityOnHost copy.yaml",
        "query": "CiscoSecureEndpoint\n| where EventMessage has 'Suspected ransomware'\n| extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "severity": "High",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1486"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}