Trend Micro CAS - Ransomware outbreak

Back


Id	38e043ce-a1fd-497b-8d4f-ce5ca2db90cd
Rulename	Trend Micro CAS - Ransomware outbreak
Description	Triggeres when ransomware was detected on several accounts.
Severity	High
Tactics	Impact
Techniques	T1486
Required data connectors	TrendMicroCAS
Kind	Scheduled
Query frequency	10m
Query period	10m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASRansomwareOutbreak.yaml
Version	1.0.1
Arm template	38e043ce-a1fd-497b-8d4f-ce5ca2db90cd.json

KQL

TrendMicroCAS
| where EventType =~ 'ransomware'
| summarize count() by DstUserName, bin(TimeGenerated, 2m)
| where count_ >= 2
| extend AccountCustomEntity = DstUserName

YAML

description: |
    'Triggeres when ransomware was detected on several accounts.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASRansomwareOutbreak.yaml
requiredDataConnectors:
- dataTypes:
  - TrendMicroCAS
  connectorId: TrendMicroCAS
query: |
  TrendMicroCAS
  | where EventType =~ 'ransomware'
  | summarize count() by DstUserName, bin(TimeGenerated, 2m)
  | where count_ >= 2
  | extend AccountCustomEntity = DstUserName  
triggerThreshold: 0
name: Trend Micro CAS - Ransomware outbreak
relevantTechniques:
- T1486
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
tactics:
- Impact
queryPeriod: 10m
severity: High
status: Available
queryFrequency: 10m
id: 38e043ce-a1fd-497b-8d4f-ce5ca2db90cd
kind: Scheduled
version: 1.0.1
triggerOperator: gt

ARM