Syslog
| where SyslogMessage contains "Ransom Protect mechanism blocked"
| extend
Portal = extract("portal:(\\w+)", 1, SyslogMessage),
EdgeFiler = extract("Edge Filer:(\\w+-\\d+)", 1, SyslogMessage),
IP = extract("IP:([0-9.]+)", 1, SyslogMessage),
User = extract("user:(\\w+)", 1, SyslogMessage),
BlockedTime = extract("at ([^ ]+)", 1, SyslogMessage)
| project TimeGenerated, Portal, EdgeFiler, IP, User, BlockedTime
suppressionEnabled: false
severity: High
alertDetailsOverride:
alertDescriptionFormat: CTERA Ransom Protect blocked a malicious user at {{TimeGenerated}}.
alertnameFormat: CTERA Ransom Protect User Blocked
description: Detects malicious users blocked by CTERA Ransom Protect AI engine.
version: 1.0.2
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/RansomwareUserBlocked.yaml
requiredDataConnectors:
- dataTypes:
- Syslog
connectorId: CTERA
suppressionDuration: PT5H
incidentConfiguration:
groupingConfiguration:
enabled: false
matchingMethod: AllEntities
reopenClosedIncident: false
lookbackDuration: PT5H
createIncident: true
name: Ransom Protect User Blocked
id: d5d4766b-e547-44da-9d85-48ff393db201
relevantTechniques:
- T1486
tactics:
- Impact
customDetails:
EdgeFiler: EdgeFiler
eventGroupingSettings:
aggregationKind: SingleAlert
query: |
Syslog
| where SyslogMessage contains "Ransom Protect mechanism blocked"
| extend
Portal = extract("portal:(\\w+)", 1, SyslogMessage),
EdgeFiler = extract("Edge Filer:(\\w+-\\d+)", 1, SyslogMessage),
IP = extract("IP:([0-9.]+)", 1, SyslogMessage),
User = extract("user:(\\w+)", 1, SyslogMessage),
BlockedTime = extract("at ([^ ]+)", 1, SyslogMessage)
| project TimeGenerated, Portal, EdgeFiler, IP, User, BlockedTime
status: Available
kind: NRT
entityMappings:
- fieldMappings:
- columnName: User
identifier: FullName
entityType: Account
- fieldMappings:
- columnName: IP
identifier: Address
entityType: IP
