Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Ransom Protect User Blocked

Back
Idd5d4766b-e547-44da-9d85-48ff393db201
RulenameRansom Protect User Blocked
DescriptionDetects malicious users blocked by CTERA Ransom Protect AI engine.
SeverityHigh
TacticsImpact
TechniquesT1486
Required data connectorsCTERA
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/RansomwareUserBlocked.yaml
Version1.0.0
Arm templated5d4766b-e547-44da-9d85-48ff393db201.json
Deploy To Azure
Syslog
| where SyslogMessage contains "[com.ctera.db.jpa.log.RansomLogEntityListener] - Ransom Protect mechanism blocked"
| extend 
    Portal = extract("portal:(\\w+)", 1, SyslogMessage),
    EdgeFiler = extract("Edge Filer:(\\w+-\\d+)", 1, SyslogMessage),
    IP = extract("IP:([0-9.]+)", 1, SyslogMessage),
    User = extract("user:(\\w+)", 1, SyslogMessage),
    BlockedTime = extract("at ([^ ]+)", 1, SyslogMessage)
| project TimeGenerated, Portal, EdgeFiler, IP, User, BlockedTime
kind: Scheduled
customDetails:
  EdgeFiler: EdgeFiler
relevantTechniques:
- T1486
description: Detects malicious users blocked by CTERA Ransom Protect AI engine.
queryPeriod: 5m
suppressionDuration: PT5H
queryFrequency: 5m
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    enabled: false
    lookbackDuration: PT5H
    matchingMethod: AllEntities
tactics:
- Impact
name: Ransom Protect User Blocked
suppressionEnabled: false
requiredDataConnectors:
- connectorId: CTERA
  dataTypes:
  - Syslog
alertDetailsOverride:
  alertnameFormat: CTERA Ransom Protect User Blocked
  alertDescriptionFormat: CTERA Ransom Protect blocked a malicious user at {{TimeGenerated}}.
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: User
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IP
triggerThreshold: 0
version: 1.0.0
id: d5d4766b-e547-44da-9d85-48ff393db201
query: |
  Syslog
  | where SyslogMessage contains "[com.ctera.db.jpa.log.RansomLogEntityListener] - Ransom Protect mechanism blocked"
  | extend 
      Portal = extract("portal:(\\w+)", 1, SyslogMessage),
      EdgeFiler = extract("Edge Filer:(\\w+-\\d+)", 1, SyslogMessage),
      IP = extract("IP:([0-9.]+)", 1, SyslogMessage),
      User = extract("user:(\\w+)", 1, SyslogMessage),
      BlockedTime = extract("at ([^ ]+)", 1, SyslogMessage)
  | project TimeGenerated, Portal, EdgeFiler, IP, User, BlockedTime  
status: Available
eventGroupingSettings:
  aggregationKind: SingleAlert
triggerOperator: GreaterThan
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/RansomwareUserBlocked.yaml
severity: High
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d5d4766b-e547-44da-9d85-48ff393db201')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d5d4766b-e547-44da-9d85-48ff393db201')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "CTERA Ransom Protect blocked a malicious user at {{TimeGenerated}}.",
          "alertnameFormat": "CTERA Ransom Protect User Blocked"
        },
        "alertRuleTemplateName": "d5d4766b-e547-44da-9d85-48ff393db201",
        "customDetails": {
          "EdgeFiler": "EdgeFiler"
        },
        "description": "Detects malicious users blocked by CTERA Ransom Protect AI engine.",
        "displayName": "Ransom Protect User Blocked",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "User",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/RansomwareUserBlocked.yaml",
        "query": "Syslog\n| where SyslogMessage contains \"[com.ctera.db.jpa.log.RansomLogEntityListener] - Ransom Protect mechanism blocked\"\n| extend \n    Portal = extract(\"portal:(\\\\w+)\", 1, SyslogMessage),\n    EdgeFiler = extract(\"Edge Filer:(\\\\w+-\\\\d+)\", 1, SyslogMessage),\n    IP = extract(\"IP:([0-9.]+)\", 1, SyslogMessage),\n    User = extract(\"user:(\\\\w+)\", 1, SyslogMessage),\n    BlockedTime = extract(\"at ([^ ]+)\", 1, SyslogMessage)\n| project TimeGenerated, Portal, EdgeFiler, IP, User, BlockedTime\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1486"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}