Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Ransom Protect User Blocked

Ransom Protect User Blocked

Back
Idd5d4766b-e547-44da-9d85-48ff393db201
RulenameRansom Protect User Blocked
DescriptionDetects malicious users blocked by CTERA Ransom Protect AI engine.
SeverityHigh
TacticsImpact
TechniquesT1486
Required data connectorsCTERA
KindNRT
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/RansomwareUserBlocked.yaml
Version1.0.2
Arm templated5d4766b-e547-44da-9d85-48ff393db201.json
Deploy To Azure
Syslog
| where SyslogMessage contains "Ransom Protect mechanism blocked"
| extend 
    Portal = extract("portal:(\\w+)", 1, SyslogMessage),
    EdgeFiler = extract("Edge Filer:(\\w+-\\d+)", 1, SyslogMessage),
    IP = extract("IP:([0-9.]+)", 1, SyslogMessage),
    User = extract("user:(\\w+)", 1, SyslogMessage),
    BlockedTime = extract("at ([^ ]+)", 1, SyslogMessage)
| project TimeGenerated, Portal, EdgeFiler, IP, User, BlockedTime

name: Ransom Protect User Blocked
incidentConfiguration:
  groupingConfiguration:
    enabled: false
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: AllEntities
  createIncident: true
query: |
  Syslog
  | where SyslogMessage contains "Ransom Protect mechanism blocked"
  | extend 
      Portal = extract("portal:(\\w+)", 1, SyslogMessage),
      EdgeFiler = extract("Edge Filer:(\\w+-\\d+)", 1, SyslogMessage),
      IP = extract("IP:([0-9.]+)", 1, SyslogMessage),
      User = extract("user:(\\w+)", 1, SyslogMessage),
      BlockedTime = extract("at ([^ ]+)", 1, SyslogMessage)
  | project TimeGenerated, Portal, EdgeFiler, IP, User, BlockedTime  
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: User
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: IP
    identifier: Address
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/RansomwareUserBlocked.yaml
suppressionEnabled: false
tactics:
- Impact
suppressionDuration: PT5H
kind: NRT
eventGroupingSettings:
  aggregationKind: SingleAlert
version: 1.0.2
alertDetailsOverride:
  alertDescriptionFormat: CTERA Ransom Protect blocked a malicious user at {{TimeGenerated}}.
  alertnameFormat: CTERA Ransom Protect User Blocked
relevantTechniques:
- T1486
id: d5d4766b-e547-44da-9d85-48ff393db201
customDetails:
  EdgeFiler: EdgeFiler
severity: High
requiredDataConnectors:
- connectorId: CTERA
  dataTypes:
  - Syslog
status: Available
description: Detects malicious users blocked by CTERA Ransom Protect AI engine.