Trend Micro CAS - Ransomware outbreak

Back


Id	38e043ce-a1fd-497b-8d4f-ce5ca2db90cd
Rulename	Trend Micro CAS - Ransomware outbreak
Description	Triggeres when ransomware was detected on several accounts.
Severity	High
Tactics	Impact
Techniques	T1486
Required data connectors	TrendMicroCAS
Kind	Scheduled
Query frequency	10m
Query period	10m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASRansomwareOutbreak.yaml
Version	1.0.1
Arm template	38e043ce-a1fd-497b-8d4f-ce5ca2db90cd.json

KQL

TrendMicroCAS
| where EventType =~ 'ransomware'
| summarize count() by DstUserName, bin(TimeGenerated, 2m)
| where count_ >= 2
| extend AccountCustomEntity = DstUserName

YAML

name: Trend Micro CAS - Ransomware outbreak
query: |
  TrendMicroCAS
  | where EventType =~ 'ransomware'
  | summarize count() by DstUserName, bin(TimeGenerated, 2m)
  | where count_ >= 2
  | extend AccountCustomEntity = DstUserName  
description: |
    'Triggeres when ransomware was detected on several accounts.'
tactics:
- Impact
requiredDataConnectors:
- dataTypes:
  - TrendMicroCAS
  connectorId: TrendMicroCAS
queryPeriod: 10m
queryFrequency: 10m
status: Available
triggerThreshold: 0
id: 38e043ce-a1fd-497b-8d4f-ce5ca2db90cd
triggerOperator: gt
version: 1.0.1
relevantTechniques:
- T1486
severity: High
kind: Scheduled
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASRansomwareOutbreak.yaml

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/38e043ce-a1fd-497b-8d4f-ce5ca2db90cd')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/38e043ce-a1fd-497b-8d4f-ce5ca2db90cd')]",
      "properties": {
        "alertRuleTemplateName": "38e043ce-a1fd-497b-8d4f-ce5ca2db90cd",
        "customDetails": null,
        "description": "'Triggeres when ransomware was detected on several accounts.'\n",
        "displayName": "Trend Micro CAS - Ransomware outbreak",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Trend Micro Cloud App Security/Analytic Rules/TrendMicroCASRansomwareOutbreak.yaml",
        "query": "TrendMicroCAS\n| where EventType =~ 'ransomware'\n| summarize count() by DstUserName, bin(TimeGenerated, 2m)\n| where count_ >= 2\n| extend AccountCustomEntity = DstUserName\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "High",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1486"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}