Syslog
| project TimeGenerated, Computer, SyslogMessage
| where SyslogMessage has "The Filer has detected a new ransomware attack"
| extend pattern = substring(SyslogMessage, indexof(SyslogMessage, "(")+1, indexof(SyslogMessage, ")") - indexof(SyslogMessage,"(")-1)
| extend volume_name = substring(SyslogMessage, indexof(SyslogMessage, "volume")+7, indexof(SyslogMessage,". Visit") - (indexof(SyslogMessage, "volume")+7))
| sort by TimeGenerated desc
queryFrequency: 5m
requiredDataConnectors:
- connectorId: SyslogAma
datatypes:
- Syslog
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Nasuni/Analytic Rules/RansomwareAttackDetected.yaml
suppressionDuration: 5h
name: Ransomware Attack Detected
description: Identifies ransomware attacks detected by the Ransomware Protection service running on a Nasuni Edge Appliance.
severity: High
status: Available
suppressionEnabled: false
kind: Scheduled
incidentConfiguration:
createIncident: true
groupingConfiguration:
lookbackDuration: PT5H
matchingMethod: AllEntities
reopenClosedIncident: false
enabled: false
triggerThreshold: 0
version: 1.0.3
eventGroupingSettings:
aggregationKind: AlertPerResult
customDetails:
VolumeName: volume_name
alertDetailsOverride:
alertDescriptionFormat: Ransomware attack detected by Nasuni at {{TimeGenerated}}.
alertDynamicProperties:
- value: SyslogMessage
alertProperty: RemediationSteps
alertnameFormat: 'Nasuni: Ransomware Attack Detected'
relevantTechniques:
- T1486
id: 6c8770fb-c854-403e-a64d-0293ba344d5f
triggerOperator: gt
queryPeriod: 5m
tactics:
- Impact
query: |-
Syslog
| project TimeGenerated, Computer, SyslogMessage
| where SyslogMessage has "The Filer has detected a new ransomware attack"
| extend pattern = substring(SyslogMessage, indexof(SyslogMessage, "(")+1, indexof(SyslogMessage, ")") - indexof(SyslogMessage,"(")-1)
| extend volume_name = substring(SyslogMessage, indexof(SyslogMessage, "volume")+7, indexof(SyslogMessage,". Visit") - (indexof(SyslogMessage, "volume")+7))
| sort by TimeGenerated desc
entityMappings:
- fieldMappings:
- identifier: Name
columnName: pattern
entityType: Malware
