Ransom Protect Detected a Ransomware Attack

Syslog
| where SyslogMessage contains "[com.ctera.db.jpa.log.RansomLogEntityListener] - Ransomware incident detected"
| extend 
Portal = extract("portal:(\\w+)", 1, SyslogMessage),
EdgeFiler = extract("Edge Filer:(\\w+-\\d+)", 1, SyslogMessage),
IP = extract("\\(IP:([0-9.]+)\\)", 1, SyslogMessage),
User = extract("user:(\\w+)", 1, SyslogMessage),
IncidentType = extract("Incident type:(\\w+)", 1, SyslogMessage),
StartTime = extract("started at \"([^\"]+)\"", 1, SyslogMessage),
EndTime = extract("ended at \"([^\"]+)\"", 1, SyslogMessage)
| project TimeGenerated, Portal, EdgeFiler, IP, User, IncidentType, StartTime, EndTime

relevantTechniques:
- T1486
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: PT5H
    enabled: false
    reopenClosedIncident: false
    matchingMethod: AllEntities
name: Ransom Protect Detected a Ransomware Attack
requiredDataConnectors:
- dataTypes:
  - Syslog
  connectorId: CTERA
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: EdgeFiler
  entityType: Host
triggerThreshold: 0
id: 7a075edf-1cf2-4038-ba9c-c354db6409de
tactics:
- Impact
version: 1.0.0
customDetails:
  EdgeFiler: EdgeFiler
alertDetailsOverride:
  alertnameFormat: CTERA Ransom Protect Detected a Ransomware Attack.
  alertDescriptionFormat: CTERA Ransom Protect Detected a Ransomware Attack at {{TimeGenerated}}.
queryPeriod: 5m
kind: Scheduled
eventGroupingSettings:
  aggregationKind: SingleAlert
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/RansomwareDetected.yaml
suppressionDuration: PT5H
queryFrequency: 5m
severity: High
status: Available
suppressionEnabled: false
description: This analytics rule monitors CTERA platform to detect potential ransomware attacks detected by CTERA Ransom Protect AI engine. Once detected the following information will be exposed Virtual portal, Edge Filer, IP, User, Incident Type, Start and end time
query: |
  Syslog
  | where SyslogMessage contains "[com.ctera.db.jpa.log.RansomLogEntityListener] - Ransomware incident detected"
  | extend 
  Portal = extract("portal:(\\w+)", 1, SyslogMessage),
  EdgeFiler = extract("Edge Filer:(\\w+-\\d+)", 1, SyslogMessage),
  IP = extract("\\(IP:([0-9.]+)\\)", 1, SyslogMessage),
  User = extract("user:(\\w+)", 1, SyslogMessage),
  IncidentType = extract("Incident type:(\\w+)", 1, SyslogMessage),
  StartTime = extract("started at \"([^\"]+)\"", 1, SyslogMessage),
  EndTime = extract("ended at \"([^\"]+)\"", 1, SyslogMessage)
  | project TimeGenerated, Portal, EdgeFiler, IP, User, IncidentType, StartTime, EndTime  
triggerOperator: GreaterThan

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7a075edf-1cf2-4038-ba9c-c354db6409de')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7a075edf-1cf2-4038-ba9c-c354db6409de')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "CTERA Ransom Protect Detected a Ransomware Attack at {{TimeGenerated}}.",
          "alertnameFormat": "CTERA Ransom Protect Detected a Ransomware Attack."
        },
        "alertRuleTemplateName": "7a075edf-1cf2-4038-ba9c-c354db6409de",
        "customDetails": {
          "EdgeFiler": "EdgeFiler"
        },
        "description": "This analytics rule monitors CTERA platform to detect potential ransomware attacks detected by CTERA Ransom Protect AI engine. Once detected the following information will be exposed Virtual portal, Edge Filer, IP, User, Incident Type, Start and end time",
        "displayName": "Ransom Protect Detected a Ransomware Attack",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "EdgeFiler",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/RansomwareDetected.yaml",
        "query": "Syslog\n| where SyslogMessage contains \"[com.ctera.db.jpa.log.RansomLogEntityListener] - Ransomware incident detected\"\n| extend \nPortal = extract(\"portal:(\\\\w+)\", 1, SyslogMessage),\nEdgeFiler = extract(\"Edge Filer:(\\\\w+-\\\\d+)\", 1, SyslogMessage),\nIP = extract(\"\\\\(IP:([0-9.]+)\\\\)\", 1, SyslogMessage),\nUser = extract(\"user:(\\\\w+)\", 1, SyslogMessage),\nIncidentType = extract(\"Incident type:(\\\\w+)\", 1, SyslogMessage),\nStartTime = extract(\"started at \\\"([^\\\"]+)\\\"\", 1, SyslogMessage),\nEndTime = extract(\"ended at \\\"([^\\\"]+)\\\"\", 1, SyslogMessage)\n| project TimeGenerated, Portal, EdgeFiler, IP, User, IncidentType, StartTime, EndTime\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1486"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}