Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Ransom Protect User Blocked

Back
Idd5d4766b-e547-44da-9d85-48ff393db201
RulenameRansom Protect User Blocked
DescriptionDetects malicious users blocked by CTERA Ransom Protect AI engine.
SeverityHigh
TacticsImpact
TechniquesT1486
Required data connectorsCTERA
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/RansomwareUserBlocked.yaml
Version1.0.0
Arm templated5d4766b-e547-44da-9d85-48ff393db201.json
Deploy To Azure
Syslog
| where SyslogMessage contains "[com.ctera.db.jpa.log.RansomLogEntityListener] - Ransom Protect mechanism blocked"
| extend 
    Portal = extract("portal:(\\w+)", 1, SyslogMessage),
    EdgeFiler = extract("Edge Filer:(\\w+-\\d+)", 1, SyslogMessage),
    IP = extract("IP:([0-9.]+)", 1, SyslogMessage),
    User = extract("user:(\\w+)", 1, SyslogMessage),
    BlockedTime = extract("at ([^ ]+)", 1, SyslogMessage)
| project TimeGenerated, Portal, EdgeFiler, IP, User, BlockedTime
queryFrequency: 5m
description: Detects malicious users blocked by CTERA Ransom Protect AI engine.
eventGroupingSettings:
  aggregationKind: SingleAlert
name: Ransom Protect User Blocked
suppressionDuration: PT5H
relevantTechniques:
- T1486
triggerThreshold: 0
status: Available
id: d5d4766b-e547-44da-9d85-48ff393db201
requiredDataConnectors:
- dataTypes:
  - Syslog
  connectorId: CTERA
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: User
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IP
queryPeriod: 5m
query: |
  Syslog
  | where SyslogMessage contains "[com.ctera.db.jpa.log.RansomLogEntityListener] - Ransom Protect mechanism blocked"
  | extend 
      Portal = extract("portal:(\\w+)", 1, SyslogMessage),
      EdgeFiler = extract("Edge Filer:(\\w+-\\d+)", 1, SyslogMessage),
      IP = extract("IP:([0-9.]+)", 1, SyslogMessage),
      User = extract("user:(\\w+)", 1, SyslogMessage),
      BlockedTime = extract("at ([^ ]+)", 1, SyslogMessage)
  | project TimeGenerated, Portal, EdgeFiler, IP, User, BlockedTime  
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/RansomwareUserBlocked.yaml
severity: High
customDetails:
  EdgeFiler: EdgeFiler
version: 1.0.0
alertDetailsOverride:
  alertDescriptionFormat: CTERA Ransom Protect blocked a malicious user at {{TimeGenerated}}.
  alertnameFormat: CTERA Ransom Protect User Blocked
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: PT5H
    reopenClosedIncident: false
    matchingMethod: AllEntities
    enabled: false
triggerOperator: GreaterThan
tactics:
- Impact
suppressionEnabled: false
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d5d4766b-e547-44da-9d85-48ff393db201')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d5d4766b-e547-44da-9d85-48ff393db201')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "CTERA Ransom Protect blocked a malicious user at {{TimeGenerated}}.",
          "alertnameFormat": "CTERA Ransom Protect User Blocked"
        },
        "alertRuleTemplateName": "d5d4766b-e547-44da-9d85-48ff393db201",
        "customDetails": {
          "EdgeFiler": "EdgeFiler"
        },
        "description": "Detects malicious users blocked by CTERA Ransom Protect AI engine.",
        "displayName": "Ransom Protect User Blocked",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "User",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CTERA/Analytic Rules/RansomwareUserBlocked.yaml",
        "query": "Syslog\n| where SyslogMessage contains \"[com.ctera.db.jpa.log.RansomLogEntityListener] - Ransom Protect mechanism blocked\"\n| extend \n    Portal = extract(\"portal:(\\\\w+)\", 1, SyslogMessage),\n    EdgeFiler = extract(\"Edge Filer:(\\\\w+-\\\\d+)\", 1, SyslogMessage),\n    IP = extract(\"IP:([0-9.]+)\", 1, SyslogMessage),\n    User = extract(\"user:(\\\\w+)\", 1, SyslogMessage),\n    BlockedTime = extract(\"at ([^ ]+)\", 1, SyslogMessage)\n| project TimeGenerated, Portal, EdgeFiler, IP, User, BlockedTime\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1486"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}