Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Ransom Protect Detected a Ransomware Attack

Back
Id7a075edf-1cf2-4038-ba9c-c354db6409de
RulenameRansom Protect Detected a Ransomware Attack
DescriptionThis analytics rule monitors CTERA platform to detect potential ransomware attacks detected by CTERA Ransom Protect AI engine. Once detected the following information will be exposed Virtual portal, Edge Filer, IP, User, Incident Type, Start and end time
SeverityHigh
TacticsImpact
TechniquesT1486
Required data connectorsCTERA
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/RansomwareDetected.yaml
Version1.0.0
Arm template7a075edf-1cf2-4038-ba9c-c354db6409de.json
Deploy To Azure
Syslog
| where SyslogMessage contains "[com.ctera.db.jpa.log.RansomLogEntityListener] - Ransomware incident detected"
| extend 
Portal = extract("portal:(\\w+)", 1, SyslogMessage),
EdgeFiler = extract("Edge Filer:(\\w+-\\d+)", 1, SyslogMessage),
IP = extract("\\(IP:([0-9.]+)\\)", 1, SyslogMessage),
User = extract("user:(\\w+)", 1, SyslogMessage),
IncidentType = extract("Incident type:(\\w+)", 1, SyslogMessage),
StartTime = extract("started at \"([^\"]+)\"", 1, SyslogMessage),
EndTime = extract("ended at \"([^\"]+)\"", 1, SyslogMessage)
| project TimeGenerated, Portal, EdgeFiler, IP, User, IncidentType, StartTime, EndTime
queryFrequency: 5m
description: This analytics rule monitors CTERA platform to detect potential ransomware attacks detected by CTERA Ransom Protect AI engine. Once detected the following information will be exposed Virtual portal, Edge Filer, IP, User, Incident Type, Start and end time
eventGroupingSettings:
  aggregationKind: SingleAlert
name: Ransom Protect Detected a Ransomware Attack
suppressionDuration: PT5H
relevantTechniques:
- T1486
triggerThreshold: 0
status: Available
id: 7a075edf-1cf2-4038-ba9c-c354db6409de
requiredDataConnectors:
- dataTypes:
  - Syslog
  connectorId: CTERA
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: EdgeFiler
queryPeriod: 5m
query: |
  Syslog
  | where SyslogMessage contains "[com.ctera.db.jpa.log.RansomLogEntityListener] - Ransomware incident detected"
  | extend 
  Portal = extract("portal:(\\w+)", 1, SyslogMessage),
  EdgeFiler = extract("Edge Filer:(\\w+-\\d+)", 1, SyslogMessage),
  IP = extract("\\(IP:([0-9.]+)\\)", 1, SyslogMessage),
  User = extract("user:(\\w+)", 1, SyslogMessage),
  IncidentType = extract("Incident type:(\\w+)", 1, SyslogMessage),
  StartTime = extract("started at \"([^\"]+)\"", 1, SyslogMessage),
  EndTime = extract("ended at \"([^\"]+)\"", 1, SyslogMessage)
  | project TimeGenerated, Portal, EdgeFiler, IP, User, IncidentType, StartTime, EndTime  
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/RansomwareDetected.yaml
severity: High
customDetails:
  EdgeFiler: EdgeFiler
version: 1.0.0
alertDetailsOverride:
  alertDescriptionFormat: CTERA Ransom Protect Detected a Ransomware Attack at {{TimeGenerated}}.
  alertnameFormat: CTERA Ransom Protect Detected a Ransomware Attack.
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: PT5H
    reopenClosedIncident: false
    matchingMethod: AllEntities
    enabled: false
triggerOperator: GreaterThan
tactics:
- Impact
suppressionEnabled: false
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7a075edf-1cf2-4038-ba9c-c354db6409de')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7a075edf-1cf2-4038-ba9c-c354db6409de')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "CTERA Ransom Protect Detected a Ransomware Attack at {{TimeGenerated}}.",
          "alertnameFormat": "CTERA Ransom Protect Detected a Ransomware Attack."
        },
        "alertRuleTemplateName": "7a075edf-1cf2-4038-ba9c-c354db6409de",
        "customDetails": {
          "EdgeFiler": "EdgeFiler"
        },
        "description": "This analytics rule monitors CTERA platform to detect potential ransomware attacks detected by CTERA Ransom Protect AI engine. Once detected the following information will be exposed Virtual portal, Edge Filer, IP, User, Incident Type, Start and end time",
        "displayName": "Ransom Protect Detected a Ransomware Attack",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "EdgeFiler",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/RansomwareDetected.yaml",
        "query": "Syslog\n| where SyslogMessage contains \"[com.ctera.db.jpa.log.RansomLogEntityListener] - Ransomware incident detected\"\n| extend \nPortal = extract(\"portal:(\\\\w+)\", 1, SyslogMessage),\nEdgeFiler = extract(\"Edge Filer:(\\\\w+-\\\\d+)\", 1, SyslogMessage),\nIP = extract(\"\\\\(IP:([0-9.]+)\\\\)\", 1, SyslogMessage),\nUser = extract(\"user:(\\\\w+)\", 1, SyslogMessage),\nIncidentType = extract(\"Incident type:(\\\\w+)\", 1, SyslogMessage),\nStartTime = extract(\"started at \\\"([^\\\"]+)\\\"\", 1, SyslogMessage),\nEndTime = extract(\"ended at \\\"([^\\\"]+)\\\"\", 1, SyslogMessage)\n| project TimeGenerated, Portal, EdgeFiler, IP, User, IncidentType, StartTime, EndTime\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1486"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}