Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cisco SE - Ransomware Activity

Back
Idc9629114-0f49-4b50-9f1b-345287b2eebf
RulenameCisco SE - Ransomware Activity
DescriptionThis rule is triggered when possible ransomware activity is detected on host.
SeverityHigh
TacticsImpact
TechniquesT1486
Required data connectorsCiscoSecureEndpoint
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSERansomwareActivityOnHost copy.yaml
Version1.0.0
Arm templatec9629114-0f49-4b50-9f1b-345287b2eebf.json
Deploy To Azure
CiscoSecureEndpoint
| where EventMessage has 'Suspected ransomware'
| extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSERansomwareActivityOnHost copy.yaml
description: |
    'This rule is triggered when possible ransomware activity is detected on host.'
triggerOperator: gt
queryPeriod: 15m
requiredDataConnectors:
- dataTypes:
  - CiscoSecureEndpoint
  connectorId: CiscoSecureEndpoint
queryFrequency: 15m
triggerThreshold: 0
tactics:
- Impact
query: |
  CiscoSecureEndpoint
  | where EventMessage has 'Suspected ransomware'
  | extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName  
status: Available
kind: Scheduled
relevantTechniques:
- T1486
version: 1.0.0
id: c9629114-0f49-4b50-9f1b-345287b2eebf
entityMappings:
- fieldMappings:
  - columnName: HostCustomEntity
    identifier: HostName
  entityType: Host
- fieldMappings:
  - columnName: MalwareCustomEntity
    identifier: Name
  entityType: Malware
name: Cisco SE - Ransomware Activity
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c9629114-0f49-4b50-9f1b-345287b2eebf')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c9629114-0f49-4b50-9f1b-345287b2eebf')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Cisco SE - Ransomware Activity",
        "description": "'This rule is triggered when possible ransomware activity is detected on host.'\n",
        "severity": "High",
        "enabled": true,
        "query": "CiscoSecureEndpoint\n| where EventMessage has 'Suspected ransomware'\n| extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1486"
        ],
        "alertRuleTemplateName": "c9629114-0f49-4b50-9f1b-345287b2eebf",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "HostName"
              }
            ]
          },
          {
            "entityType": "Malware",
            "fieldMappings": [
              {
                "columnName": "MalwareCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "status": "Available",
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSERansomwareActivityOnHost copy.yaml"
      }
    }
  ]
}