Ransom Protect Detected a Ransomware Attack

Back


Id	7a075edf-1cf2-4038-ba9c-c354db6409de
Rulename	Ransom Protect Detected a Ransomware Attack
Description	Monitors CTERA platform to detect potential ransomware attacks detected by CTERA Ransom Protect AI engine.
Severity	High
Tactics	Impact
Techniques	T1486
Required data connectors	CTERA
Kind	NRT
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/RansomwareDetected.yaml
Version	1.0.2
Arm template	7a075edf-1cf2-4038-ba9c-c354db6409de.json

KQL

Syslog
| where SyslogMessage contains "Ransomware incident detected"
| extend 
Portal = extract("portal:(\\w+)", 1, SyslogMessage),
EdgeFiler = extract("Edge Filer:(\\w+-\\d+)", 1, SyslogMessage),
IP = extract("\\(IP:([0-9.]+)\\)", 1, SyslogMessage),
User = extract("user:(\\w+)", 1, SyslogMessage),
IncidentType = extract("Incident type:(\\w+)", 1, SyslogMessage),
StartTime = extract("started at \"([^\"]+)\"", 1, SyslogMessage),
EndTime = extract("ended at \"([^\"]+)\"", 1, SyslogMessage)
| project TimeGenerated, Portal, EdgeFiler, IP, User, IncidentType, StartTime, EndTime

YAML

suppressionEnabled: false
alertDetailsOverride:
  alertnameFormat: CTERA Ransom Protect Detected a Ransomware Attack.
  alertDescriptionFormat: CTERA Ransom Protect Detected a Ransomware Attack at {{TimeGenerated}}.
requiredDataConnectors:
- connectorId: CTERA
  dataTypes:
  - Syslog
query: |
  Syslog
  | where SyslogMessage contains "Ransomware incident detected"
  | extend 
  Portal = extract("portal:(\\w+)", 1, SyslogMessage),
  EdgeFiler = extract("Edge Filer:(\\w+-\\d+)", 1, SyslogMessage),
  IP = extract("\\(IP:([0-9.]+)\\)", 1, SyslogMessage),
  User = extract("user:(\\w+)", 1, SyslogMessage),
  IncidentType = extract("Incident type:(\\w+)", 1, SyslogMessage),
  StartTime = extract("started at \"([^\"]+)\"", 1, SyslogMessage),
  EndTime = extract("ended at \"([^\"]+)\"", 1, SyslogMessage)
  | project TimeGenerated, Portal, EdgeFiler, IP, User, IncidentType, StartTime, EndTime  
eventGroupingSettings:
  aggregationKind: SingleAlert
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: EdgeFiler
  entityType: Host
version: 1.0.2
status: Available
name: Ransom Protect Detected a Ransomware Attack
kind: NRT
suppressionDuration: PT5H
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: PT5H
    enabled: false
    matchingMethod: AllEntities
    reopenClosedIncident: false
id: 7a075edf-1cf2-4038-ba9c-c354db6409de
customDetails:
  EdgeFiler: EdgeFiler
tactics:
- Impact
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/RansomwareDetected.yaml
relevantTechniques:
- T1486
description: Monitors CTERA platform to detect potential ransomware attacks detected by CTERA Ransom Protect AI engine.

ARM