Ransom Protect Detected a Ransomware Attack
| Id | 7a075edf-1cf2-4038-ba9c-c354db6409de |
| Rulename | Ransom Protect Detected a Ransomware Attack |
| Description | Monitors CTERA platform to detect potential ransomware attacks detected by CTERA Ransom Protect AI engine. |
| Severity | High |
| Tactics | Impact |
| Techniques | T1486 |
| Required data connectors | CTERA |
| Kind | NRT |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/RansomwareDetected.yaml |
| Version | 1.0.2 |
| Arm template | 7a075edf-1cf2-4038-ba9c-c354db6409de.json |
Syslog
| where SyslogMessage contains "Ransomware incident detected"
| extend
Portal = extract("portal:(\\w+)", 1, SyslogMessage),
EdgeFiler = extract("Edge Filer:(\\w+-\\d+)", 1, SyslogMessage),
IP = extract("\\(IP:([0-9.]+)\\)", 1, SyslogMessage),
User = extract("user:(\\w+)", 1, SyslogMessage),
IncidentType = extract("Incident type:(\\w+)", 1, SyslogMessage),
StartTime = extract("started at \"([^\"]+)\"", 1, SyslogMessage),
EndTime = extract("ended at \"([^\"]+)\"", 1, SyslogMessage)
| project TimeGenerated, Portal, EdgeFiler, IP, User, IncidentType, StartTime, EndTime
status: Available
id: 7a075edf-1cf2-4038-ba9c-c354db6409de
tactics:
- Impact
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/RansomwareDetected.yaml
eventGroupingSettings:
aggregationKind: SingleAlert
name: Ransom Protect Detected a Ransomware Attack
query: |
Syslog
| where SyslogMessage contains "Ransomware incident detected"
| extend
Portal = extract("portal:(\\w+)", 1, SyslogMessage),
EdgeFiler = extract("Edge Filer:(\\w+-\\d+)", 1, SyslogMessage),
IP = extract("\\(IP:([0-9.]+)\\)", 1, SyslogMessage),
User = extract("user:(\\w+)", 1, SyslogMessage),
IncidentType = extract("Incident type:(\\w+)", 1, SyslogMessage),
StartTime = extract("started at \"([^\"]+)\"", 1, SyslogMessage),
EndTime = extract("ended at \"([^\"]+)\"", 1, SyslogMessage)
| project TimeGenerated, Portal, EdgeFiler, IP, User, IncidentType, StartTime, EndTime
severity: High
customDetails:
EdgeFiler: EdgeFiler
kind: NRT
suppressionDuration: PT5H
relevantTechniques:
- T1486
incidentConfiguration:
createIncident: true
groupingConfiguration:
lookbackDuration: PT5H
reopenClosedIncident: false
enabled: false
matchingMethod: AllEntities
requiredDataConnectors:
- connectorId: CTERA
dataTypes:
- Syslog
version: 1.0.2
description: Monitors CTERA platform to detect potential ransomware attacks detected by CTERA Ransom Protect AI engine.
suppressionEnabled: false
alertDetailsOverride:
alertnameFormat: CTERA Ransom Protect Detected a Ransomware Attack.
alertDescriptionFormat: CTERA Ransom Protect Detected a Ransomware Attack at {{TimeGenerated}}.
entityMappings:
- fieldMappings:
- columnName: EdgeFiler
identifier: HostName
entityType: Host
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7a075edf-1cf2-4038-ba9c-c354db6409de')]",
"kind": "NRT",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7a075edf-1cf2-4038-ba9c-c354db6409de')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "CTERA Ransom Protect Detected a Ransomware Attack at {{TimeGenerated}}.",
"alertnameFormat": "CTERA Ransom Protect Detected a Ransomware Attack."
},
"alertRuleTemplateName": "7a075edf-1cf2-4038-ba9c-c354db6409de",
"customDetails": {
"EdgeFiler": "EdgeFiler"
},
"description": "Monitors CTERA platform to detect potential ransomware attacks detected by CTERA Ransom Protect AI engine.",
"displayName": "Ransom Protect Detected a Ransomware Attack",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "EdgeFiler",
"identifier": "HostName"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/RansomwareDetected.yaml",
"query": "Syslog\n| where SyslogMessage contains \"Ransomware incident detected\"\n| extend \nPortal = extract(\"portal:(\\\\w+)\", 1, SyslogMessage),\nEdgeFiler = extract(\"Edge Filer:(\\\\w+-\\\\d+)\", 1, SyslogMessage),\nIP = extract(\"\\\\(IP:([0-9.]+)\\\\)\", 1, SyslogMessage),\nUser = extract(\"user:(\\\\w+)\", 1, SyslogMessage),\nIncidentType = extract(\"Incident type:(\\\\w+)\", 1, SyslogMessage),\nStartTime = extract(\"started at \\\"([^\\\"]+)\\\"\", 1, SyslogMessage),\nEndTime = extract(\"ended at \\\"([^\\\"]+)\\\"\", 1, SyslogMessage)\n| project TimeGenerated, Portal, EdgeFiler, IP, User, IncidentType, StartTime, EndTime\n",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": [
"Impact"
],
"techniques": [
"T1486"
],
"templateVersion": "1.0.2"
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}