TrendMicroCAS
| where EventType =~ 'ransomware'
| extend AccountCustomEntity = DstUserName, MalwareCustomEntity = RansomwareName
entityMappings:
- fieldMappings:
- columnName: AccountCustomEntity
identifier: Name
entityType: Account
- fieldMappings:
- columnName: MalwareCustomEntity
identifier: Name
entityType: Malware
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASRansomwareOnHost.yaml
version: 1.0.1
tactics:
- Impact
queryPeriod: 5m
kind: Scheduled
id: 0bec3f9a-dbe9-4b4c-9ff6-498d64bbef90
severity: High
query: |
TrendMicroCAS
| where EventType =~ 'ransomware'
| extend AccountCustomEntity = DstUserName, MalwareCustomEntity = RansomwareName
triggerThreshold: 0
name: Trend Micro CAS - Ransomware infection
status: Available
description: |
'Triggeres when ransomware was detected.'
relevantTechniques:
- T1486
requiredDataConnectors:
- connectorId: TrendMicroCAS
dataTypes:
- TrendMicroCAS
queryFrequency: 5m
