Cisco SE - Ransomware Activity

Back


Id	c9629114-0f49-4b50-9f1b-345287b2eebf
Rulename	Cisco SE - Ransomware Activity
Description	This rule is triggered when possible ransomware activity is detected on host.
Severity	High
Tactics	Impact
Techniques	T1486
Required data connectors	CiscoSecureEndpoint
Kind	Scheduled
Query frequency	15m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSERansomwareActivityOnHost copy.yaml
Version	1.0.0
Arm template	c9629114-0f49-4b50-9f1b-345287b2eebf.json

KQL

CiscoSecureEndpoint
| where EventMessage has 'Suspected ransomware'
| extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName

YAML

description: |
    'This rule is triggered when possible ransomware activity is detected on host.'
kind: Scheduled
queryFrequency: 15m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSERansomwareActivityOnHost copy.yaml
status: Available
triggerOperator: gt
severity: High
relevantTechniques:
- T1486
triggerThreshold: 0
name: Cisco SE - Ransomware Activity
entityMappings:
- fieldMappings:
  - columnName: HostCustomEntity
    identifier: HostName
  entityType: Host
- fieldMappings:
  - columnName: MalwareCustomEntity
    identifier: Name
  entityType: Malware
requiredDataConnectors:
- connectorId: CiscoSecureEndpoint
  dataTypes:
  - CiscoSecureEndpoint
id: c9629114-0f49-4b50-9f1b-345287b2eebf
queryPeriod: 15m
tactics:
- Impact
version: 1.0.0
query: |
  CiscoSecureEndpoint
  | where EventMessage has 'Suspected ransomware'
  | extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName

ARM