Cisco SE - Ransomware Activity

Back


Id	c9629114-0f49-4b50-9f1b-345287b2eebf
Rulename	Cisco SE - Ransomware Activity
Description	This rule is triggered when possible ransomware activity is detected on host.
Severity	High
Tactics	Impact
Techniques	T1486
Required data connectors	CiscoSecureEndpoint
Kind	Scheduled
Query frequency	15m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSERansomwareActivityOnHost copy.yaml
Version	1.0.0
Arm template	c9629114-0f49-4b50-9f1b-345287b2eebf.json

KQL

CiscoSecureEndpoint
| where EventMessage has 'Suspected ransomware'
| extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName

YAML

triggerThreshold: 0
name: Cisco SE - Ransomware Activity
description: |
    'This rule is triggered when possible ransomware activity is detected on host.'
query: |
  CiscoSecureEndpoint
  | where EventMessage has 'Suspected ransomware'
  | extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSERansomwareActivityOnHost copy.yaml
triggerOperator: gt
tactics:
- Impact
id: c9629114-0f49-4b50-9f1b-345287b2eebf
requiredDataConnectors:
- connectorId: CiscoSecureEndpoint
  dataTypes:
  - CiscoSecureEndpoint
severity: High
relevantTechniques:
- T1486
status: Available
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: HostCustomEntity
  entityType: Host
- fieldMappings:
  - identifier: Name
    columnName: MalwareCustomEntity
  entityType: Malware
version: 1.0.0
queryFrequency: 15m
queryPeriod: 15m
kind: Scheduled

ARM