Comment automatiser la détection des ransomwares à l'aide de règles d'analyse dans Azure Sentinel

Détection des ransomwares

Ceci est l'histoire finale de notre 4 parties Détection des ransomwares série dans laquelle nous explorons comment analyser et protéger vos données Qumulo avec Azure Sentinel. Dans les parties 1, 2 et 3, nous avons examiné comment détecter les modèles d'accès aux ransomwares, a décrit deux autres méthodes pour détecter les ransomwares grâce à la corrélation des données, puis a offert un aperçu de détection de ransomware à l'aide de Threat Intelligence externe données pour prendre en charge la corrélation des données. Dans notre dernière entrée de cette série, nous montrerons comment automatiser ces requêtes de détection dans Azure Sentinel pour une sécurité proactive des données.


Auparavant dans cette série, nous avons expliqué comment exécuter des requêtes pour détecter les ransomwares et autres activités suspectes. Nous allons maintenant commencer à automatiser le processus de détection des ransomwares.

Dans cet article, nous utilisons des règles d'analyse pour exécuter des requêtes dans Azure Sentinel. Pour ce faire, procédez comme suit :

  1. Lancez les requêtes périodiquement, par exemple toutes les 5 minutes, pour analyser et corréler les données entrées au cours de la période de 5 minutes précédente.
  2. En cas de correspondance(s) positive(s), nous créons un ou plusieurs incidents dans Azure Sentinel et les attribuons éventuellement à un administrateur ou à un analyste de la sécurité des données, envoyons des alertes, etc.
  3. Nous pouvons déclencher des réponses automatisées avec Playbooks en fonction d'alertes ou d'incidents. Les playbooks peuvent inclure presque n'importe quel code sans serveur lancé en tant que fonction Azure.

Comment créer des règles d'analyse pour exécuter des requêtes dans Azure Sentinel et détecter les menaces de ransomware

L'organigramme suivant illustre ce que nous mettons en œuvre avec les règles d'analyse.

comment créer des règles d'analyse pour détecter les ransomwares

Pour rappel, voici la requête que nous avons utilisée pour filtrer sur notre liste noire :

let timerange = 10min;
let blacklist = externaldata (FileExt: string) [h"https://sradtkeloganalytics.blob.core.windows.net/tables/unwanted_file_extensions.csv?sv=2020-04-08&st=2021-05-18T17%3A33%3A45Z&se=2025-12-31T18%3A33%3A00Z&sr=b&sp=r&sig=k3gHLkq7ip4sEDLmrVw3eDrjafEpvjzZG8zA7k6bkGU%3D"] with (ignoreFirstRecord=true);
QumuloAuditEvents
| where EventTime >= ago(timerange)
| where FileExt1 in (blacklist)

Now let's create an analytics rule in Azure Sentinel, so that this query runs every 10 minutes.

In Azure Sentinel, select your Workspace > Analytics > Create > Schedule query rule. Then you enter the rule details such as the Name, Description and the Severity (you can ignore the tactics category at this point). You can compare the following screenshot with your analytics rules.

detect ransomware suspicious file extensions

In the next step you enter the query and the scheduling details such as the interval and whether you want to group potential events together into a single alert.

Then you then decide whether an incident is being created automatically for alerts.

automate ransomware detection

In the final step, we’ll choose an automated response. Automated responses are implemented with Playbooks in Azure Sentinel. A Playbook can contain almost any response using Azure Logic Apps.

Response automation with playbooks in Azure Sentinel

Security information and event management (SIEM) and Security Operations Center (SOC) teams are typically inundated with security alerts and incidents on a regular basis, at volumes so large that available personnel are overwhelmed. This results in situations where many alerts are ignored and many incidents aren't investigated, leaving the organization vulnerable to attacks that go unnoticed.

Many, if not most, of these alerts and incidents conform to recurring patterns that can be addressed by specific and defined sets of remediation actions.

A playbook is a collection of these remediation actions that can be run from Azure Sentinel as a routine. A playbook can help automate and orchestrate your threat response in the event of ransomware detection. It can be run manually or set to run automatically in response to specific alerts or incidents, when triggered by an analytics rule or an automation rule, respectively.

Playbooks are created and applied at the subscription level, but the playbooks tab displays all the playbooks available across any selected subscriptions.

The concept of Logic Apps is beyond the scope of this article. But it is important to understand that you can run any kind of code from a playbook with a Logic Apps response to an alert or incident.

As an example, a very basic playbook would use a pre-built connector to connect to an SMTP server to fire up email as a response to an incident. The next figure is a screenshot from the Logic App designer, so that you can see how to design a basic Logic App in the Logic App Designer.

ransomware detection automated response

A typical automated response for a security event on a Qumulo file system would, for example, perform one or more of the following actions:

  • Automatically assign an incident to an administrator or security analyst
  • Send out email or SMS alerts to administrators or even the affected user(s)
  • Create a ticket in ServiceNow
  • Connect to the relevant Qumulo cluster and delete related files immediately or put them into quarantine
  • Set a Qumulo share to read only or block access for a certain user or client
  • Connect to the firewall and block certain IP addresses
  • Connect to Active Directory and block a user

To learn more about playbooks and Logic Apps, please visit Automate threat response with playbooks in Azure Sentinel.

Additionally, we encourage you to read our complete threat hunting white paper for a deeper dive into ransomware detection methods and workflows with Qumulo Audit and Azure Sentinel.

Implementing a holistic ransomware detection and prevention strategy

In this ransomware detection series, we discussed Threat Hunting with Azure Sentinel for Qumulo clusters. Regardless of whether you run an on-premise Qumulo cluster, Qumulo SaaS in Azure or Qumulo in other clouds, Azure Sentinel is one of the leading SIEM and SOAR platforms for data-driven enterprises. It can be used to implement a holistic ransomware detection and prevention strategy to protect your data on Qumulo file storage and other critical assets for business continuity and disaster recovery.

Qumulo Recover Q: Disaster recovery solution to help guard against ransomware

Qumulo Audit logs can be used via syslog with any SIEM solution for detection.

Qumulo Recover QWe also offer Qumulo Recover Q—a flexible cloud disaster recovery solution that fits into any existing business continuity strategy. Using Recover Q in the cloud can help optimize your company’s spending for business continuity by reducing on-premises costs in favor of an on demand, cloud-native service. Active protection features help ensure data safety and integrity, while built-in snapshot and cloud replication features add layers of defense against real-world threats that could compromise your data or operations.

Qumulo on Azure as a Service, for instance, includes built-in role-based access control for all users, activity auditing for all users and files, and encryption of data at rest coupled with Azure’s Security services to help you repel external threats. In our video below, you can see how Qumulo on Azure makes cloud file services simple and can help keep your data safe with disaster recovery capabilities including continuous replication, erasure coding, snapshots, and automatic failover.

How Qumulo on Azure Makes Cloud File Services Simple

How Qumulo on Azure Makes Cloud File Services Simple

Find out how Qumulo has simplified cloud file storage with its new as a Service filesystem on Azure.

Watch video

Further Reading

Take a look at our two white papers (below) to learn more about ransomware detection with Qumulo audit data and SIEM platforms, and the built-in data services (Qumulo Protect and Qumulo Secure) that come standard with your Qumulo software subscription.

Like what you see?

Contact us to book a demo or arrange a meeting. You can even test drive a fully functional Qumulo environment right from your browser.

Share this post