Ransom Protect Detected a Ransomware Attack
Id | 7a075edf-1cf2-4038-ba9c-c354db6409de |
Rulename | Ransom Protect Detected a Ransomware Attack |
Description | This analytics rule monitors CTERA platform to detect potential ransomware attacks detected by CTERA Ransom Protect AI engine. Once detected the following information will be exposed Virtual portal, Edge Filer, IP, User, Incident Type, Start and end time |
Severity | High |
Tactics | Impact |
Techniques | T1486 |
Required data connectors | CTERA |
Kind | Scheduled |
Query frequency | 5m |
Query period | 5m |
Trigger threshold | 0 |
Trigger operator | GreaterThan |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/RansomwareDetected.yaml |
Version | 1.0.0 |
Arm template | 7a075edf-1cf2-4038-ba9c-c354db6409de.json |
Syslog
| where SyslogMessage contains "[com.ctera.db.jpa.log.RansomLogEntityListener] - Ransomware incident detected"
| extend
Portal = extract("portal:(\\w+)", 1, SyslogMessage),
EdgeFiler = extract("Edge Filer:(\\w+-\\d+)", 1, SyslogMessage),
IP = extract("\\(IP:([0-9.]+)\\)", 1, SyslogMessage),
User = extract("user:(\\w+)", 1, SyslogMessage),
IncidentType = extract("Incident type:(\\w+)", 1, SyslogMessage),
StartTime = extract("started at \"([^\"]+)\"", 1, SyslogMessage),
EndTime = extract("ended at \"([^\"]+)\"", 1, SyslogMessage)
| project TimeGenerated, Portal, EdgeFiler, IP, User, IncidentType, StartTime, EndTime
kind: Scheduled
customDetails:
EdgeFiler: EdgeFiler
relevantTechniques:
- T1486
description: This analytics rule monitors CTERA platform to detect potential ransomware attacks detected by CTERA Ransom Protect AI engine. Once detected the following information will be exposed Virtual portal, Edge Filer, IP, User, Incident Type, Start and end time
queryPeriod: 5m
suppressionDuration: PT5H
queryFrequency: 5m
incidentConfiguration:
createIncident: true
groupingConfiguration:
reopenClosedIncident: false
enabled: false
lookbackDuration: PT5H
matchingMethod: AllEntities
tactics:
- Impact
name: Ransom Protect Detected a Ransomware Attack
suppressionEnabled: false
requiredDataConnectors:
- connectorId: CTERA
dataTypes:
- Syslog
alertDetailsOverride:
alertnameFormat: CTERA Ransom Protect Detected a Ransomware Attack.
alertDescriptionFormat: CTERA Ransom Protect Detected a Ransomware Attack at {{TimeGenerated}}.
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: EdgeFiler
triggerThreshold: 0
version: 1.0.0
id: 7a075edf-1cf2-4038-ba9c-c354db6409de
query: |
Syslog
| where SyslogMessage contains "[com.ctera.db.jpa.log.RansomLogEntityListener] - Ransomware incident detected"
| extend
Portal = extract("portal:(\\w+)", 1, SyslogMessage),
EdgeFiler = extract("Edge Filer:(\\w+-\\d+)", 1, SyslogMessage),
IP = extract("\\(IP:([0-9.]+)\\)", 1, SyslogMessage),
User = extract("user:(\\w+)", 1, SyslogMessage),
IncidentType = extract("Incident type:(\\w+)", 1, SyslogMessage),
StartTime = extract("started at \"([^\"]+)\"", 1, SyslogMessage),
EndTime = extract("ended at \"([^\"]+)\"", 1, SyslogMessage)
| project TimeGenerated, Portal, EdgeFiler, IP, User, IncidentType, StartTime, EndTime
status: Available
eventGroupingSettings:
aggregationKind: SingleAlert
triggerOperator: GreaterThan
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/RansomwareDetected.yaml
severity: High
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7a075edf-1cf2-4038-ba9c-c354db6409de')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7a075edf-1cf2-4038-ba9c-c354db6409de')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "CTERA Ransom Protect Detected a Ransomware Attack at {{TimeGenerated}}.",
"alertnameFormat": "CTERA Ransom Protect Detected a Ransomware Attack."
},
"alertRuleTemplateName": "7a075edf-1cf2-4038-ba9c-c354db6409de",
"customDetails": {
"EdgeFiler": "EdgeFiler"
},
"description": "This analytics rule monitors CTERA platform to detect potential ransomware attacks detected by CTERA Ransom Protect AI engine. Once detected the following information will be exposed Virtual portal, Edge Filer, IP, User, Incident Type, Start and end time",
"displayName": "Ransom Protect Detected a Ransomware Attack",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "EdgeFiler",
"identifier": "HostName"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/RansomwareDetected.yaml",
"query": "Syslog\n| where SyslogMessage contains \"[com.ctera.db.jpa.log.RansomLogEntityListener] - Ransomware incident detected\"\n| extend \nPortal = extract(\"portal:(\\\\w+)\", 1, SyslogMessage),\nEdgeFiler = extract(\"Edge Filer:(\\\\w+-\\\\d+)\", 1, SyslogMessage),\nIP = extract(\"\\\\(IP:([0-9.]+)\\\\)\", 1, SyslogMessage),\nUser = extract(\"user:(\\\\w+)\", 1, SyslogMessage),\nIncidentType = extract(\"Incident type:(\\\\w+)\", 1, SyslogMessage),\nStartTime = extract(\"started at \\\"([^\\\"]+)\\\"\", 1, SyslogMessage),\nEndTime = extract(\"ended at \\\"([^\\\"]+)\\\"\", 1, SyslogMessage)\n| project TimeGenerated, Portal, EdgeFiler, IP, User, IncidentType, StartTime, EndTime\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": [
"Impact"
],
"techniques": [
"T1486"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}