Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cisco SE - Ransomware Activity

Cisco SE - Ransomware Activity

Back
Idc9629114-0f49-4b50-9f1b-345287b2eebf
RulenameCisco SE - Ransomware Activity
DescriptionThis rule is triggered when possible ransomware activity is detected on host.
SeverityHigh
TacticsImpact
TechniquesT1486
Required data connectorsCiscoSecureEndpoint
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSERansomwareActivityOnHost copy.yaml
Version1.0.0
Arm templatec9629114-0f49-4b50-9f1b-345287b2eebf.json
Deploy To Azure
CiscoSecureEndpoint
| where EventMessage has 'Suspected ransomware'
| extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName

tactics:
- Impact
triggerOperator: gt
requiredDataConnectors:
- connectorId: CiscoSecureEndpoint
  dataTypes:
  - CiscoSecureEndpoint
relevantTechniques:
- T1486
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: HostCustomEntity
  entityType: Host
- fieldMappings:
  - identifier: Name
    columnName: MalwareCustomEntity
  entityType: Malware
id: c9629114-0f49-4b50-9f1b-345287b2eebf
queryPeriod: 15m
name: Cisco SE - Ransomware Activity
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSERansomwareActivityOnHost copy.yaml
queryFrequency: 15m
description: |
    'This rule is triggered when possible ransomware activity is detected on host.'
version: 1.0.0
query: |
  CiscoSecureEndpoint
  | where EventMessage has 'Suspected ransomware'
  | extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName  
triggerThreshold: 0
severity: High
status: Available
kind: Scheduled