Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cisco SE - Ransomware Activity

Cisco SE - Ransomware Activity

Back
Idc9629114-0f49-4b50-9f1b-345287b2eebf
RulenameCisco SE - Ransomware Activity
DescriptionThis rule is triggered when possible ransomware activity is detected on host.
SeverityHigh
TacticsImpact
TechniquesT1486
Required data connectorsCiscoSecureEndpoint
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSERansomwareActivityOnHost copy.yaml
Version1.0.0
Arm templatec9629114-0f49-4b50-9f1b-345287b2eebf.json
Deploy To Azure
CiscoSecureEndpoint
| where EventMessage has 'Suspected ransomware'
| extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName

queryPeriod: 15m
query: |
  CiscoSecureEndpoint
  | where EventMessage has 'Suspected ransomware'
  | extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName  
name: Cisco SE - Ransomware Activity
entityMappings:
- fieldMappings:
  - columnName: HostCustomEntity
    identifier: HostName
  entityType: Host
- fieldMappings:
  - columnName: MalwareCustomEntity
    identifier: Name
  entityType: Malware
queryFrequency: 15m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSERansomwareActivityOnHost copy.yaml
requiredDataConnectors:
- connectorId: CiscoSecureEndpoint
  dataTypes:
  - CiscoSecureEndpoint
description: |
    'This rule is triggered when possible ransomware activity is detected on host.'
kind: Scheduled
version: 1.0.0
status: Available
severity: High
relevantTechniques:
- T1486
triggerOperator: gt
triggerThreshold: 0
tactics:
- Impact
id: c9629114-0f49-4b50-9f1b-345287b2eebf