CTERA Solution for Azure Sentinel

.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json

@@ -249,5 +249,6 @@
   "RadiflowIsid",
   "CustomLogsAma",
   "SilverfortAma",
-  "IllumioSaaSDataConnector"
+  "IllumioSaaSDataConnector",
+  "CTERA"
 ]

Solutions/CTERA/Analytic Rules/RansomwareDetected.yaml

@@ -0,0 +1,52 @@
+id: 7a075edf-1cf2-4038-ba9c-c354db6409de
+name: Ransom Protect Detected a Ransomware Attack
+description: 'This analytics rule monitors CTERA platform to detect potential ransomware attacks detected by CTERA Ransom Protect AI engine. Once detected the following information will be exposed Virtual portal, Edge Filer, IP, User, Incident Type, Start and end time'
+kind: Scheduled
+severity: High
+status: Available
+requiredDataConnectors:
+  - connectorId: CTERA
+    dataTypes:
+      - Syslog
+queryFrequency: 5m
+queryPeriod: 5m  
+triggerOperator: GreaterThan
+triggerThreshold: 0
+tactics:
+    - Impact
+relevantTechniques:
+    - T1486
+query: |
+    Syslog
+    | where SyslogMessage contains "[com.ctera.db.jpa.log.RansomLogEntityListener] - Ransomware incident detected"
+    | extend 
+    Portal = extract("portal:(\\w+)", 1, SyslogMessage),
+    EdgeFiler = extract("Edge Filer:(\\w+-\\d+)", 1, SyslogMessage),
+    IP = extract("\\(IP:([0-9.]+)\\)", 1, SyslogMessage),
+    User = extract("user:(\\w+)", 1, SyslogMessage),
+    IncidentType = extract("Incident type:(\\w+)", 1, SyslogMessage),
+    StartTime = extract("started at \"([^\"]+)\"", 1, SyslogMessage),
+    EndTime = extract("ended at \"([^\"]+)\"", 1, SyslogMessage)
+    | project TimeGenerated, Portal, EdgeFiler, IP, User, IncidentType, StartTime, EndTime
+suppressionDuration: PT5H
+suppressionEnabled: false
+incidentConfiguration:
+    createIncident: true
+    groupingConfiguration:
+        enabled: false
+        reopenClosedIncident: false
+        lookbackDuration: PT5H
+        matchingMethod: AllEntities
+eventGroupingSettings:
+    aggregationKind: SingleAlert
+alertDetailsOverride: 
+    alertnameFormat: 'CTERA Ransom Protect Detected a Ransomware Attack.'
+    alertDescriptionFormat: CTERA Ransom Protect Detected a Ransomware Attack at {{TimeGenerated}}.
+customDetails:
+    EdgeFiler: EdgeFiler
+entityMappings:
+- entityType: Host
+  fieldMappings:
+    - identifier: HostName
+      columnName: EdgeFiler
+version: 1.0.0

Solutions/CTERA/Analytic Rules/RansomwareUserBlocked.yaml

@@ -0,0 +1,54 @@
+id: d5d4766b-e547-44da-9d85-48ff393db201
+name: Ransom Protect User Blocked
+description: 'Detects malicious users blocked by CTERA Ransom Protect AI engine.'
+kind: Scheduled
+severity: High
+status: Available
+requiredDataConnectors:
+  - connectorId: CTERA
+    dataTypes:
+      - Syslog
+queryFrequency: 5m
+queryPeriod: 5m  
+triggerOperator: GreaterThan
+triggerThreshold: 0
+tactics:
+    - Impact
+relevantTechniques:
+    - T1486
+query: |
+    Syslog
+    | where SyslogMessage contains "[com.ctera.db.jpa.log.RansomLogEntityListener] - Ransom Protect mechanism blocked"
+    | extend 
+        Portal = extract("portal:(\\w+)", 1, SyslogMessage),
+        EdgeFiler = extract("Edge Filer:(\\w+-\\d+)", 1, SyslogMessage),
+        IP = extract("IP:([0-9.]+)", 1, SyslogMessage),
+        User = extract("user:(\\w+)", 1, SyslogMessage),
+        BlockedTime = extract("at ([^ ]+)", 1, SyslogMessage)
+    | project TimeGenerated, Portal, EdgeFiler, IP, User, BlockedTime
+suppressionDuration: PT5H
+suppressionEnabled: false
+incidentConfiguration:
+    createIncident: true
+    groupingConfiguration:
+        enabled: false
+        reopenClosedIncident: false
+        lookbackDuration: PT5H
+        matchingMethod: AllEntities
+eventGroupingSettings:
+    aggregationKind: SingleAlert
+alertDetailsOverride: 
+    alertnameFormat: 'CTERA Ransom Protect User Blocked'
+    alertDescriptionFormat: CTERA Ransom Protect blocked a malicious user at {{TimeGenerated}}.
+customDetails:
+    EdgeFiler: EdgeFiler
+entityMappings:
+- entityType: Account
+  fieldMappings:
+      - identifier: FullName
+        columnName: User
+- entityType: IP
+  fieldMappings:
+      - identifier: Address
+        columnName: IP
+version: 1.0.0