Trend Micro CAS - Ransomware outbreak

Back


Id	38e043ce-a1fd-497b-8d4f-ce5ca2db90cd
Rulename	Trend Micro CAS - Ransomware outbreak
Description	Triggeres when ransomware was detected on several accounts.
Severity	High
Tactics	Impact
Techniques	T1486
Required data connectors	TrendMicroCAS
Kind	Scheduled
Query frequency	10m
Query period	10m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASRansomwareOutbreak.yaml
Version	1.0.1
Arm template	38e043ce-a1fd-497b-8d4f-ce5ca2db90cd.json

KQL

TrendMicroCAS
| where EventType =~ 'ransomware'
| summarize count() by DstUserName, bin(TimeGenerated, 2m)
| where count_ >= 2
| extend AccountCustomEntity = DstUserName

YAML

relevantTechniques:
- T1486
name: Trend Micro CAS - Ransomware outbreak
requiredDataConnectors:
- dataTypes:
  - TrendMicroCAS
  connectorId: TrendMicroCAS
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
triggerThreshold: 0
id: 38e043ce-a1fd-497b-8d4f-ce5ca2db90cd
tactics:
- Impact
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASRansomwareOutbreak.yaml
queryPeriod: 10m
kind: Scheduled
queryFrequency: 10m
severity: High
status: Available
description: |
    'Triggeres when ransomware was detected on several accounts.'
query: |
  TrendMicroCAS
  | where EventType =~ 'ransomware'
  | summarize count() by DstUserName, bin(TimeGenerated, 2m)
  | where count_ >= 2
  | extend AccountCustomEntity = DstUserName  
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/38e043ce-a1fd-497b-8d4f-ce5ca2db90cd')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/38e043ce-a1fd-497b-8d4f-ce5ca2db90cd')]",
      "properties": {
        "alertRuleTemplateName": "38e043ce-a1fd-497b-8d4f-ce5ca2db90cd",
        "customDetails": null,
        "description": "'Triggeres when ransomware was detected on several accounts.'\n",
        "displayName": "Trend Micro CAS - Ransomware outbreak",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASRansomwareOutbreak.yaml",
        "query": "TrendMicroCAS\n| where EventType =~ 'ransomware'\n| summarize count() by DstUserName, bin(TimeGenerated, 2m)\n| where count_ >= 2\n| extend AccountCustomEntity = DstUserName\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1486"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}