Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cisco SE - Ransomware Activity

Back
Idc9629114-0f49-4b50-9f1b-345287b2eebf
RulenameCisco SE - Ransomware Activity
DescriptionThis rule is triggered when possible ransomware activity is detected on host.
SeverityHigh
TacticsImpact
TechniquesT1486
Required data connectorsCiscoSecureEndpoint
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSERansomwareActivityOnHost copy.yaml
Version1.0.0
Arm templatec9629114-0f49-4b50-9f1b-345287b2eebf.json
Deploy To Azure
CiscoSecureEndpoint
| where EventMessage has 'Suspected ransomware'
| extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName
version: 1.0.0
status: Available
queryFrequency: 15m
requiredDataConnectors:
- connectorId: CiscoSecureEndpoint
  dataTypes:
  - CiscoSecureEndpoint
entityMappings:
- fieldMappings:
  - columnName: HostCustomEntity
    identifier: HostName
  entityType: Host
- fieldMappings:
  - columnName: MalwareCustomEntity
    identifier: Name
  entityType: Malware
kind: Scheduled
queryPeriod: 15m
severity: High
query: |
  CiscoSecureEndpoint
  | where EventMessage has 'Suspected ransomware'
  | extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName  
triggerOperator: gt
id: c9629114-0f49-4b50-9f1b-345287b2eebf
description: |
    'This rule is triggered when possible ransomware activity is detected on host.'
triggerThreshold: 0
name: Cisco SE - Ransomware Activity
relevantTechniques:
- T1486
tactics:
- Impact
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSERansomwareActivityOnHost copy.yaml
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c9629114-0f49-4b50-9f1b-345287b2eebf')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c9629114-0f49-4b50-9f1b-345287b2eebf')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Cisco SE - Ransomware Activity",
        "description": "'This rule is triggered when possible ransomware activity is detected on host.'\n",
        "severity": "High",
        "enabled": true,
        "query": "CiscoSecureEndpoint\n| where EventMessage has 'Suspected ransomware'\n| extend HostCustomEntity = DstHostname, MalwareCustomEntity = ThreatName\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1486"
        ],
        "alertRuleTemplateName": "c9629114-0f49-4b50-9f1b-345287b2eebf",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "identifier": "HostName",
                "columnName": "HostCustomEntity"
              }
            ]
          },
          {
            "entityType": "Malware",
            "fieldMappings": [
              {
                "identifier": "Name",
                "columnName": "MalwareCustomEntity"
              }
            ]
          }
        ],
        "status": "Available",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco Secure Endpoint/Analytic Rules/CiscoSERansomwareActivityOnHost copy.yaml",
        "templateVersion": "1.0.0"
      }
    }
  ]
}