Ransom Protect Detected a Ransomware Attack

Back


Id	7a075edf-1cf2-4038-ba9c-c354db6409de
Rulename	Ransom Protect Detected a Ransomware Attack
Description	Monitors CTERA platform to detect potential ransomware attacks detected by CTERA Ransom Protect AI engine.
Severity	High
Tactics	Impact
Techniques	T1486
Required data connectors	CTERA
Kind	NRT
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/RansomwareDetected.yaml
Version	1.0.2
Arm template	7a075edf-1cf2-4038-ba9c-c354db6409de.json

KQL

Syslog
| where SyslogMessage contains "Ransomware incident detected"
| extend 
Portal = extract("portal:(\\w+)", 1, SyslogMessage),
EdgeFiler = extract("Edge Filer:(\\w+-\\d+)", 1, SyslogMessage),
IP = extract("\\(IP:([0-9.]+)\\)", 1, SyslogMessage),
User = extract("user:(\\w+)", 1, SyslogMessage),
IncidentType = extract("Incident type:(\\w+)", 1, SyslogMessage),
StartTime = extract("started at \"([^\"]+)\"", 1, SyslogMessage),
EndTime = extract("ended at \"([^\"]+)\"", 1, SyslogMessage)
| project TimeGenerated, Portal, EdgeFiler, IP, User, IncidentType, StartTime, EndTime

YAML

severity: High
eventGroupingSettings:
  aggregationKind: SingleAlert
suppressionEnabled: false
name: Ransom Protect Detected a Ransomware Attack
entityMappings:
- fieldMappings:
  - columnName: EdgeFiler
    identifier: HostName
  entityType: Host
version: 1.0.2
relevantTechniques:
- T1486
status: Available
id: 7a075edf-1cf2-4038-ba9c-c354db6409de
alertDetailsOverride:
  alertnameFormat: CTERA Ransom Protect Detected a Ransomware Attack.
  alertDescriptionFormat: CTERA Ransom Protect Detected a Ransomware Attack at {{TimeGenerated}}.
suppressionDuration: PT5H
incidentConfiguration:
  groupingConfiguration:
    enabled: false
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
  createIncident: true
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/RansomwareDetected.yaml
query: |
  Syslog
  | where SyslogMessage contains "Ransomware incident detected"
  | extend 
  Portal = extract("portal:(\\w+)", 1, SyslogMessage),
  EdgeFiler = extract("Edge Filer:(\\w+-\\d+)", 1, SyslogMessage),
  IP = extract("\\(IP:([0-9.]+)\\)", 1, SyslogMessage),
  User = extract("user:(\\w+)", 1, SyslogMessage),
  IncidentType = extract("Incident type:(\\w+)", 1, SyslogMessage),
  StartTime = extract("started at \"([^\"]+)\"", 1, SyslogMessage),
  EndTime = extract("ended at \"([^\"]+)\"", 1, SyslogMessage)
  | project TimeGenerated, Portal, EdgeFiler, IP, User, IncidentType, StartTime, EndTime  
customDetails:
  EdgeFiler: EdgeFiler
description: Monitors CTERA platform to detect potential ransomware attacks detected by CTERA Ransom Protect AI engine.
requiredDataConnectors:
- connectorId: CTERA
  dataTypes:
  - Syslog
tactics:
- Impact
kind: NRT

ARM