Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Ransom Protect Detected a Ransomware Attack

Back
Id7a075edf-1cf2-4038-ba9c-c354db6409de
RulenameRansom Protect Detected a Ransomware Attack
DescriptionThis analytics rule monitors CTERA platform to detect potential ransomware attacks detected by CTERA Ransom Protect AI engine. Once detected the following information will be exposed Virtual portal, Edge Filer, IP, User, Incident Type, Start and end time
SeverityHigh
TacticsImpact
TechniquesT1486
Required data connectorsCTERA
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/RansomwareDetected.yaml
Version1.0.0
Arm template7a075edf-1cf2-4038-ba9c-c354db6409de.json
Deploy To Azure
Syslog
| where SyslogMessage contains "[com.ctera.db.jpa.log.RansomLogEntityListener] - Ransomware incident detected"
| extend 
Portal = extract("portal:(\\w+)", 1, SyslogMessage),
EdgeFiler = extract("Edge Filer:(\\w+-\\d+)", 1, SyslogMessage),
IP = extract("\\(IP:([0-9.]+)\\)", 1, SyslogMessage),
User = extract("user:(\\w+)", 1, SyslogMessage),
IncidentType = extract("Incident type:(\\w+)", 1, SyslogMessage),
StartTime = extract("started at \"([^\"]+)\"", 1, SyslogMessage),
EndTime = extract("ended at \"([^\"]+)\"", 1, SyslogMessage)
| project TimeGenerated, Portal, EdgeFiler, IP, User, IncidentType, StartTime, EndTime
kind: Scheduled
customDetails:
  EdgeFiler: EdgeFiler
relevantTechniques:
- T1486
description: This analytics rule monitors CTERA platform to detect potential ransomware attacks detected by CTERA Ransom Protect AI engine. Once detected the following information will be exposed Virtual portal, Edge Filer, IP, User, Incident Type, Start and end time
queryPeriod: 5m
suppressionDuration: PT5H
queryFrequency: 5m
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    enabled: false
    lookbackDuration: PT5H
    matchingMethod: AllEntities
tactics:
- Impact
name: Ransom Protect Detected a Ransomware Attack
suppressionEnabled: false
requiredDataConnectors:
- connectorId: CTERA
  dataTypes:
  - Syslog
alertDetailsOverride:
  alertnameFormat: CTERA Ransom Protect Detected a Ransomware Attack.
  alertDescriptionFormat: CTERA Ransom Protect Detected a Ransomware Attack at {{TimeGenerated}}.
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: EdgeFiler
triggerThreshold: 0
version: 1.0.0
id: 7a075edf-1cf2-4038-ba9c-c354db6409de
query: |
  Syslog
  | where SyslogMessage contains "[com.ctera.db.jpa.log.RansomLogEntityListener] - Ransomware incident detected"
  | extend 
  Portal = extract("portal:(\\w+)", 1, SyslogMessage),
  EdgeFiler = extract("Edge Filer:(\\w+-\\d+)", 1, SyslogMessage),
  IP = extract("\\(IP:([0-9.]+)\\)", 1, SyslogMessage),
  User = extract("user:(\\w+)", 1, SyslogMessage),
  IncidentType = extract("Incident type:(\\w+)", 1, SyslogMessage),
  StartTime = extract("started at \"([^\"]+)\"", 1, SyslogMessage),
  EndTime = extract("ended at \"([^\"]+)\"", 1, SyslogMessage)
  | project TimeGenerated, Portal, EdgeFiler, IP, User, IncidentType, StartTime, EndTime  
status: Available
eventGroupingSettings:
  aggregationKind: SingleAlert
triggerOperator: GreaterThan
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/RansomwareDetected.yaml
severity: High
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7a075edf-1cf2-4038-ba9c-c354db6409de')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7a075edf-1cf2-4038-ba9c-c354db6409de')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "CTERA Ransom Protect Detected a Ransomware Attack at {{TimeGenerated}}.",
          "alertnameFormat": "CTERA Ransom Protect Detected a Ransomware Attack."
        },
        "alertRuleTemplateName": "7a075edf-1cf2-4038-ba9c-c354db6409de",
        "customDetails": {
          "EdgeFiler": "EdgeFiler"
        },
        "description": "This analytics rule monitors CTERA platform to detect potential ransomware attacks detected by CTERA Ransom Protect AI engine. Once detected the following information will be exposed Virtual portal, Edge Filer, IP, User, Incident Type, Start and end time",
        "displayName": "Ransom Protect Detected a Ransomware Attack",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "EdgeFiler",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/RansomwareDetected.yaml",
        "query": "Syslog\n| where SyslogMessage contains \"[com.ctera.db.jpa.log.RansomLogEntityListener] - Ransomware incident detected\"\n| extend \nPortal = extract(\"portal:(\\\\w+)\", 1, SyslogMessage),\nEdgeFiler = extract(\"Edge Filer:(\\\\w+-\\\\d+)\", 1, SyslogMessage),\nIP = extract(\"\\\\(IP:([0-9.]+)\\\\)\", 1, SyslogMessage),\nUser = extract(\"user:(\\\\w+)\", 1, SyslogMessage),\nIncidentType = extract(\"Incident type:(\\\\w+)\", 1, SyslogMessage),\nStartTime = extract(\"started at \\\"([^\\\"]+)\\\"\", 1, SyslogMessage),\nEndTime = extract(\"ended at \\\"([^\\\"]+)\\\"\", 1, SyslogMessage)\n| project TimeGenerated, Portal, EdgeFiler, IP, User, IncidentType, StartTime, EndTime\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1486"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}