Rule To Detect Ransomware

%3CLINGO-SUB%20id%3D%22lingo-sub-3106058%22%20slang%3D%22en-US%22%3ERule%20To%20Detect%20Ransomware%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3106058%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20build%20a%20rule%20to%20detect%20ransomware.%20I%20was%20following%20the%20rule%20%22Advanced%20multistage%20attack%20detection%22%20but%20most%20of%20the%20log%20sources%20it%20has%20coming%20from%20Microsoft%20products%20look%20like%20although%20it%20does%20have%20something%20called%20%22Raw%20logs%20from%20other%20sources%3CFONT%20face%3D%22inherit%22%3E%22%20so%20does%20it%20mean%20that%20it%20will%20analyze%20all%20other%20data%20that%20is%20coming%20in%20my%20environment%3F%26nbsp%3B%20We%20will%20be%20doing%20a%20ransomware%20simulation%20so%20I%20want%20to%20create%20a%20rule%20to%20observe%20on%20%3C%2FFONT%3ESentinel%3CFONT%20face%3D%22inherit%22%3E%26nbsp%3Bso%20when%20the%20simulation%20%3C%2FFONT%3Estarts%2C%20I%20can%20track%20unusual%20activity.%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20suggestion%20would%20be%20appreciated.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3111605%22%20slang%3D%22en-US%22%3ERe%3A%20Rule%20To%20Detect%20Ransomware%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3111605%22%20slang%3D%22en-US%22%3ENot%20sure%20if%20you%20have%20seen%20this%20article%20but%20it%20does%20appear%20that%20the%20Fusion%20for%20Ransomware%20is%20pretty%20much%20limited%20to%20MS%20Security%20products%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Ffusion%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Ffusion%3C%2FA%3E%3C%2FLINGO-BODY%3E
Contributor

Hi,

 

I am trying to build a rule to detect ransomware. I was following the rule "Advanced multistage attack detection" but most of the log sources it has coming from Microsoft products look like although it does have something called "Raw logs from other sources" so does it mean that it will analyze all other data that is coming in my environment?  We will be doing a ransomware simulation so I want to create a rule to observe on Sentinel so when the simulation starts, I can track unusual activity.   

 

Any suggestion would be appreciated. 

2 Replies
Not sure if you have seen this article but it does appear that the Fusion for Ransomware is pretty much limited to MS Security products: https://docs.microsoft.com/en-us/azure/sentinel/fusion
Hi Gary,

Yes I saw this one & modified it too but as you mentioned it is more MS specific rule. Son basically we will be doing one ransomware simulation so when that exercise happens, I want tom setup something which will detect the activity.