Acronis - Multiple Endpoints Infected by Ransomware

Back


Id	a783ade7-bf43-416d-b809-8f5b06d87790
Rulename	Acronis - Multiple Endpoints Infected by Ransomware
Description	Detects when three or more distinct endpoints report ransomware detections within a single day.
Severity	High
Tactics	Impact
Techniques	T1486
Kind	Scheduled
Query frequency	1h
Query period	1d
Trigger threshold	2
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Acronis Cyber Protect Cloud/Analytic Rules/AcronisMultipleEndpointsInfectedByRansomware.yaml
Version	1.0.0
Arm template	a783ade7-bf43-416d-b809-8f5b06d87790.json

KQL

CommonSecurityLog
| where DeviceVendor == "Acronis"
| where DeviceEventClassID == "ActiveProtectionBlocksSuspiciousActivity"
| summarize ActiveProtectionBlocksSuspiciousActivity = count() by DeviceName

YAML

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Acronis Cyber Protect Cloud/Analytic Rules/AcronisMultipleEndpointsInfectedByRansomware.yaml
requiredDataConnectors: []
queryPeriod: 1d
description: Detects when three or more distinct endpoints report ransomware detections within a single day.
triggerThreshold: 2
name: Acronis - Multiple Endpoints Infected by Ransomware
triggerOperator: gt
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AnyAlert
    enabled: true
    reopenClosedIncident: true
    lookbackDuration: P1D
kind: Scheduled
customDetails:
  DeviceName: DeviceName
eventGroupingSettings:
  aggregationKind: SingleAlert
queryFrequency: 1h
tactics:
- Impact
id: a783ade7-bf43-416d-b809-8f5b06d87790
version: 1.0.0
query: |
  CommonSecurityLog
  | where DeviceVendor == "Acronis"
  | where DeviceEventClassID == "ActiveProtectionBlocksSuspiciousActivity"
  | summarize ActiveProtectionBlocksSuspiciousActivity = count() by DeviceName  
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: DeviceName
severity: High
relevantTechniques:
- T1486

ARM