Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Ransom Protect User Blocked

Ransom Protect User Blocked

Back
Idd5d4766b-e547-44da-9d85-48ff393db201
RulenameRansom Protect User Blocked
DescriptionDetects malicious users blocked by CTERA Ransom Protect AI engine.
SeverityHigh
TacticsImpact
TechniquesT1486
Required data connectorsCTERA
KindNRT
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/RansomwareUserBlocked.yaml
Version1.0.2
Arm templated5d4766b-e547-44da-9d85-48ff393db201.json
Deploy To Azure
Syslog
| where SyslogMessage contains "Ransom Protect mechanism blocked"
| extend 
    Portal = extract("portal:(\\w+)", 1, SyslogMessage),
    EdgeFiler = extract("Edge Filer:(\\w+-\\d+)", 1, SyslogMessage),
    IP = extract("IP:([0-9.]+)", 1, SyslogMessage),
    User = extract("user:(\\w+)", 1, SyslogMessage),
    BlockedTime = extract("at ([^ ]+)", 1, SyslogMessage)
| project TimeGenerated, Portal, EdgeFiler, IP, User, BlockedTime

status: Available
id: d5d4766b-e547-44da-9d85-48ff393db201
tactics:
- Impact
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/RansomwareUserBlocked.yaml
eventGroupingSettings:
  aggregationKind: SingleAlert
name: Ransom Protect User Blocked
query: |
  Syslog
  | where SyslogMessage contains "Ransom Protect mechanism blocked"
  | extend 
      Portal = extract("portal:(\\w+)", 1, SyslogMessage),
      EdgeFiler = extract("Edge Filer:(\\w+-\\d+)", 1, SyslogMessage),
      IP = extract("IP:([0-9.]+)", 1, SyslogMessage),
      User = extract("user:(\\w+)", 1, SyslogMessage),
      BlockedTime = extract("at ([^ ]+)", 1, SyslogMessage)
  | project TimeGenerated, Portal, EdgeFiler, IP, User, BlockedTime  
severity: High
customDetails:
  EdgeFiler: EdgeFiler
kind: NRT
suppressionDuration: PT5H
relevantTechniques:
- T1486
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: PT5H
    reopenClosedIncident: false
    enabled: false
    matchingMethod: AllEntities
requiredDataConnectors:
- connectorId: CTERA
  dataTypes:
  - Syslog
version: 1.0.2
description: Detects malicious users blocked by CTERA Ransom Protect AI engine.
suppressionEnabled: false
alertDetailsOverride:
  alertnameFormat: CTERA Ransom Protect User Blocked
  alertDescriptionFormat: CTERA Ransom Protect blocked a malicious user at {{TimeGenerated}}.
entityMappings:
- fieldMappings:
  - columnName: User
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: IP
    identifier: Address
  entityType: IP

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d5d4766b-e547-44da-9d85-48ff393db201')]",
      "kind": "NRT",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d5d4766b-e547-44da-9d85-48ff393db201')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "CTERA Ransom Protect blocked a malicious user at {{TimeGenerated}}.",
          "alertnameFormat": "CTERA Ransom Protect User Blocked"
        },
        "alertRuleTemplateName": "d5d4766b-e547-44da-9d85-48ff393db201",
        "customDetails": {
          "EdgeFiler": "EdgeFiler"
        },
        "description": "Detects malicious users blocked by CTERA Ransom Protect AI engine.",
        "displayName": "Ransom Protect User Blocked",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "User",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/RansomwareUserBlocked.yaml",
        "query": "Syslog\n| where SyslogMessage contains \"Ransom Protect mechanism blocked\"\n| extend \n    Portal = extract(\"portal:(\\\\w+)\", 1, SyslogMessage),\n    EdgeFiler = extract(\"Edge Filer:(\\\\w+-\\\\d+)\", 1, SyslogMessage),\n    IP = extract(\"IP:([0-9.]+)\", 1, SyslogMessage),\n    User = extract(\"user:(\\\\w+)\", 1, SyslogMessage),\n    BlockedTime = extract(\"at ([^ ]+)\", 1, SyslogMessage)\n| project TimeGenerated, Portal, EdgeFiler, IP, User, BlockedTime\n",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1486"
        ],
        "templateVersion": "1.0.2"
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}