Cisco SE - Ransomware Activity

Back


Id	c9629114-0f49-4b50-9f1b-345287b2eebf
Rulename	Cisco SE - Ransomware Activity
Description	This rule is triggered when possible ransomware activity is detected on host.
Severity	High
Tactics	Impact
Techniques	T1486
Required data connectors	CiscoSecureEndpoint
Kind	Scheduled
Query frequency	15m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSERansomwareActivityOnHost copy.yaml
Version	1.0.0
Arm template	c9629114-0f49-4b50-9f1b-345287b2eebf.json

KQL

CiscoSecureEndpoint
| where EventMessage has 'Suspected ransomware'
| extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName

YAML

relevantTechniques:
- T1486
queryPeriod: 15m
triggerOperator: gt
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSERansomwareActivityOnHost copy.yaml
description: |
    'This rule is triggered when possible ransomware activity is detected on host.'
tactics:
- Impact
severity: High
status: Available
kind: Scheduled
triggerThreshold: 0
queryFrequency: 15m
requiredDataConnectors:
- dataTypes:
  - CiscoSecureEndpoint
  connectorId: CiscoSecureEndpoint
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: HostCustomEntity
- entityType: Malware
  fieldMappings:
  - identifier: Name
    columnName: MalwareCustomEntity
id: c9629114-0f49-4b50-9f1b-345287b2eebf
query: |
  CiscoSecureEndpoint
  | where EventMessage has 'Suspected ransomware'
  | extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName  
name: Cisco SE - Ransomware Activity

ARM