Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. CTERA Mass Deletions Detection Analytic

CTERA Mass Deletions Detection Analytic

Back
Id5365f294-0c67-432a-bacf-b1282a3b6c46
RulenameCTERA Mass Deletions Detection Analytic
DescriptionThis analytic rule detects and alerts when large amount of deletion operations generated by the CTERA Edge Filer
SeverityHigh
TacticsImpact
TechniquesT1485
Required data connectorsCTERA
KindScheduled
Query frequency5m
Query period5m
Trigger threshold5000
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/MassDeletions.yaml
Version1.0.0
Arm template5365f294-0c67-432a-bacf-b1282a3b6c46.json
Deploy To Azure
Syslog
| where ProcessName == 'gw-audit'
| extend
    TenantName = extract("\"vportal\":\"([^\"]*)\"", 1, SyslogMessage),
    UserName = extract("user=([^|]*)", 1, SyslogMessage),
    Permission = extract("op=([^|]*)", 1, SyslogMessage),
    EdgeFiler = extract("\"client\":\"([^\"]*)\"", 1, SyslogMessage),
    RootPath = extract("rootPath=([^|]*)", 1, SyslogMessage),
    Share = extract("share=([^|]*)", 1, SyslogMessage),
    LocalPath = extract("path=([^|]*)", 1, SyslogMessage),
    Timestamp = todatetime(extract("\"@timestamp\":\"([^\"]*)\"", 1, SyslogMessage))
| where Permission == 'delete'
| summarize Count = count() by UserName, bin(Timestamp, 5m)
| where Count > 5000

incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: PT5H
    reopenClosedIncident: false
    enabled: false
    matchingMethod: AllEntities
id: 5365f294-0c67-432a-bacf-b1282a3b6c46
tactics:
- Impact
queryPeriod: 5m
eventGroupingSettings:
  aggregationKind: SingleAlert
triggerThreshold: 5000
name: CTERA Mass Deletions Detection Analytic
query: |
  Syslog
  | where ProcessName == 'gw-audit'
  | extend
      TenantName = extract("\"vportal\":\"([^\"]*)\"", 1, SyslogMessage),
      UserName = extract("user=([^|]*)", 1, SyslogMessage),
      Permission = extract("op=([^|]*)", 1, SyslogMessage),
      EdgeFiler = extract("\"client\":\"([^\"]*)\"", 1, SyslogMessage),
      RootPath = extract("rootPath=([^|]*)", 1, SyslogMessage),
      Share = extract("share=([^|]*)", 1, SyslogMessage),
      LocalPath = extract("path=([^|]*)", 1, SyslogMessage),
      Timestamp = todatetime(extract("\"@timestamp\":\"([^\"]*)\"", 1, SyslogMessage))
  | where Permission == 'delete'
  | summarize Count = count() by UserName, bin(Timestamp, 5m)
  | where Count > 5000  
severity: High
customDetails:
  RootPath: RootPath
  EdgeFiler: EdgeFiler
  TenantName: TenantName
  Share: Share
  UserName: UserName
triggerOperator: GreaterThan
kind: Scheduled
suppressionDuration: PT5H
relevantTechniques:
- T1485
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/MassDeletions.yaml
suppressionEnabled: false
queryFrequency: 5m
requiredDataConnectors:
- connectorId: CTERA
  dataTypes:
  - Syslog
version: 1.0.0
description: This analytic rule detects and alerts when large amount of deletion operations generated by the CTERA Edge Filer
status: Available
alertDetailsOverride:
  alertnameFormat: CTERA Batch Access Denied Detection
  alertDescriptionFormat: |
        Detected {{Count}} denied access attempts by user {{UserName}} on Edge Filer  {{EdgeFiler}} within 5 minutes. Please investigate unauthorized access attempts or misconfigurations.
entityMappings:
- fieldMappings:
  - columnName: UserName
    identifier: Name
  entityType: Account
- fieldMappings:
  - columnName: EdgeFiler
    identifier: Name
  entityType: File

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5365f294-0c67-432a-bacf-b1282a3b6c46')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5365f294-0c67-432a-bacf-b1282a3b6c46')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Detected {{Count}} denied access attempts by user {{UserName}} on Edge Filer  {{EdgeFiler}} within 5 minutes. Please investigate unauthorized access attempts or misconfigurations.\n",
          "alertnameFormat": "CTERA Batch Access Denied Detection"
        },
        "alertRuleTemplateName": "5365f294-0c67-432a-bacf-b1282a3b6c46",
        "customDetails": {
          "EdgeFiler": "EdgeFiler",
          "RootPath": "RootPath",
          "Share": "Share",
          "TenantName": "TenantName",
          "UserName": "UserName"
        },
        "description": "This analytic rule detects and alerts when large amount of deletion operations generated by the CTERA Edge Filer",
        "displayName": "CTERA Mass Deletions Detection Analytic",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "UserName",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "columnName": "EdgeFiler",
                "identifier": "Name"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/MassDeletions.yaml",
        "query": "Syslog\n| where ProcessName == 'gw-audit'\n| extend\n    TenantName = extract(\"\\\"vportal\\\":\\\"([^\\\"]*)\\\"\", 1, SyslogMessage),\n    UserName = extract(\"user=([^|]*)\", 1, SyslogMessage),\n    Permission = extract(\"op=([^|]*)\", 1, SyslogMessage),\n    EdgeFiler = extract(\"\\\"client\\\":\\\"([^\\\"]*)\\\"\", 1, SyslogMessage),\n    RootPath = extract(\"rootPath=([^|]*)\", 1, SyslogMessage),\n    Share = extract(\"share=([^|]*)\", 1, SyslogMessage),\n    LocalPath = extract(\"path=([^|]*)\", 1, SyslogMessage),\n    Timestamp = todatetime(extract(\"\\\"@timestamp\\\":\\\"([^\\\"]*)\\\"\", 1, SyslogMessage))\n| where Permission == 'delete'\n| summarize Count = count() by UserName, bin(Timestamp, 5m)\n| where Count > 5000\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1485"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 5000
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}