Ransom Protect Detected a Ransomware Attack

Back


Id	7a075edf-1cf2-4038-ba9c-c354db6409de
Rulename	Ransom Protect Detected a Ransomware Attack
Description	Monitors CTERA platform to detect potential ransomware attacks detected by CTERA Ransom Protect AI engine.
Severity	High
Tactics	Impact
Techniques	T1486
Required data connectors	CTERA
Kind	NRT
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/RansomwareDetected.yaml
Version	1.0.2
Arm template	7a075edf-1cf2-4038-ba9c-c354db6409de.json

KQL

Syslog
| where SyslogMessage contains "Ransomware incident detected"
| extend 
Portal = extract("portal:(\\w+)", 1, SyslogMessage),
EdgeFiler = extract("Edge Filer:(\\w+-\\d+)", 1, SyslogMessage),
IP = extract("\\(IP:([0-9.]+)\\)", 1, SyslogMessage),
User = extract("user:(\\w+)", 1, SyslogMessage),
IncidentType = extract("Incident type:(\\w+)", 1, SyslogMessage),
StartTime = extract("started at \"([^\"]+)\"", 1, SyslogMessage),
EndTime = extract("ended at \"([^\"]+)\"", 1, SyslogMessage)
| project TimeGenerated, Portal, EdgeFiler, IP, User, IncidentType, StartTime, EndTime

YAML

suppressionEnabled: false
description: Monitors CTERA platform to detect potential ransomware attacks detected by CTERA Ransom Protect AI engine.
kind: NRT
tactics:
- Impact
requiredDataConnectors:
- connectorId: CTERA
  dataTypes:
  - Syslog
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/RansomwareDetected.yaml
severity: High
name: Ransom Protect Detected a Ransomware Attack
suppressionDuration: PT5H
customDetails:
  EdgeFiler: EdgeFiler
alertDetailsOverride:
  alertnameFormat: CTERA Ransom Protect Detected a Ransomware Attack.
  alertDescriptionFormat: CTERA Ransom Protect Detected a Ransomware Attack at {{TimeGenerated}}.
query: |
  Syslog
  | where SyslogMessage contains "Ransomware incident detected"
  | extend 
  Portal = extract("portal:(\\w+)", 1, SyslogMessage),
  EdgeFiler = extract("Edge Filer:(\\w+-\\d+)", 1, SyslogMessage),
  IP = extract("\\(IP:([0-9.]+)\\)", 1, SyslogMessage),
  User = extract("user:(\\w+)", 1, SyslogMessage),
  IncidentType = extract("Incident type:(\\w+)", 1, SyslogMessage),
  StartTime = extract("started at \"([^\"]+)\"", 1, SyslogMessage),
  EndTime = extract("ended at \"([^\"]+)\"", 1, SyslogMessage)
  | project TimeGenerated, Portal, EdgeFiler, IP, User, IncidentType, StartTime, EndTime  
relevantTechniques:
- T1486
id: 7a075edf-1cf2-4038-ba9c-c354db6409de
status: Available
version: 1.0.2
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: PT5H
    enabled: false
    matchingMethod: AllEntities
  createIncident: true
eventGroupingSettings:
  aggregationKind: SingleAlert
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: EdgeFiler
    identifier: HostName

ARM