Cómo automatizar la detección de ransomware mediante reglas de análisis en Azure Sentinel

Detección de ransomware

Esta es la historia final en nuestro 4 partes Detección de ransomware serie en la que exploramos cómo analizar y proteger sus datos de Qumulo con Azure Sentinel. En las partes 1, 2 y 3 examinamos cómo detectar patrones de acceso de ransomware, describió dos métodos más para detectar ransomware con correlación de datos, y luego ofreció una descripción general de detección de ransomware mediante inteligencia de amenazas externa datos para respaldar la correlación de datos. En nuestra última entrada de esta serie, mostraremos cómo automatizar estas consultas de detección en Azure Sentinel para la seguridad proactiva de los datos.


Anteriormente en esta serie, hemos escrito sobre cómo ejecutar consultas para detectar ransomware y otras actividades sospechosas. Ahora comenzaremos a automatizar el proceso de detección de ransomware.

En este artículo, usamos reglas de análisis para ejecutar consultas en Azure Sentinel. Para hacer esto, siga los siguientes pasos:

  1. Inicie las consultas periódicamente, por ejemplo, cada 5 minutos, para analizar y correlacionar los datos que ingresaron durante el período anterior de 5 minutos.
  2. En caso de coincidencias positivas, creamos uno o más incidentes en Azure Sentinel y, opcionalmente, los asignamos a un administrador o analista de seguridad de datos, enviamos alertas y más.
  3. Podemos activar respuestas automáticas con Playbooks basadas en alertas o incidentes. Los libros de jugadas pueden incluir casi cualquier código sin servidor que se inicie como una función de Azure.

Cómo crear reglas de análisis para ejecutar consultas en Azure Sentinel y detectar amenazas de ransomware

El siguiente diagrama de flujo ilustra lo que estamos implementando con las reglas de análisis.

cómo crear reglas de análisis para detectar ransomware

Como recordatorio, aquí está la consulta que usamos para filtrar en nuestra lista negra:

let timerange = 10min;
let blacklist = externaldata (FileExt: string) [h"https://sradtkeloganalytics.blob.core.windows.net/tables/unwanted_file_extensions.csv?sv=2020-04-08&st=2021-05-18T17%3A33%3A45Z&se=2025-12-31T18%3A33%3A00Z&sr=b&sp=r&sig=k3gHLkq7ip4sEDLmrVw3eDrjafEpvjzZG8zA7k6bkGU%3D"] with (ignoreFirstRecord=true);
QumuloAuditEvents
| where EventTime >= ago(timerange)
| where FileExt1 in (blacklist)

Now let's create an analytics rule in Azure Sentinel, so that this query runs every 10 minutes.

In Azure Sentinel, select your Workspace > Analytics > Create > Schedule query rule. Then you enter the rule details such as the Name, Description and the Severity (you can ignore the tactics category at this point). You can compare the following screenshot with your analytics rules.

detect ransomware suspicious file extensions

In the next step you enter the query and the scheduling details such as the interval and whether you want to group potential events together into a single alert.

Then you then decide whether an incident is being created automatically for alerts.

automate ransomware detection

In the final step, we’ll choose an automated response. Automated responses are implemented with Playbooks in Azure Sentinel. A Playbook can contain almost any response using Azure Logic Apps.

Response automation with playbooks in Azure Sentinel

Security information and event management (SIEM) and Security Operations Center (SOC) teams are typically inundated with security alerts and incidents on a regular basis, at volumes so large that available personnel are overwhelmed. This results in situations where many alerts are ignored and many incidents aren't investigated, leaving the organization vulnerable to attacks that go unnoticed.

Many, if not most, of these alerts and incidents conform to recurring patterns that can be addressed by specific and defined sets of remediation actions.

A playbook is a collection of these remediation actions that can be run from Azure Sentinel as a routine. A playbook can help automate and orchestrate your threat response in the event of ransomware detection. It can be run manually or set to run automatically in response to specific alerts or incidents, when triggered by an analytics rule or an automation rule, respectively.

Playbooks are created and applied at the subscription level, but the playbooks tab displays all the playbooks available across any selected subscriptions.

The concept of Logic Apps is beyond the scope of this article. But it is important to understand that you can run any kind of code from a playbook with a Logic Apps response to an alert or incident.

As an example, a very basic playbook would use a pre-built connector to connect to an SMTP server to fire up email as a response to an incident. The next figure is a screenshot from the Logic App designer, so that you can see how to design a basic Logic App in the Logic App Designer.

ransomware detection automated response

A typical automated response for a security event on a Qumulo file system would, for example, perform one or more of the following actions:

  • Automatically assign an incident to an administrator or security analyst
  • Send out email or SMS alerts to administrators or even the affected user(s)
  • Create a ticket in ServiceNow
  • Connect to the relevant Qumulo cluster and delete related files immediately or put them into quarantine
  • Set a Qumulo share to read only or block access for a certain user or client
  • Connect to the firewall and block certain IP addresses
  • Connect to Active Directory and block a user

To learn more about playbooks and Logic Apps, please visit Automate threat response with playbooks in Azure Sentinel.

Additionally, we encourage you to read our complete threat hunting white paper for a deeper dive into ransomware detection methods and workflows with Qumulo Audit and Azure Sentinel.

Implementing a holistic ransomware detection and prevention strategy

In this ransomware detection series, we discussed Threat Hunting with Azure Sentinel for Qumulo clusters. Regardless of whether you run an on-premise Qumulo cluster, Qumulo SaaS in Azure or Qumulo in other clouds, Azure Sentinel is one of the leading SIEM and SOAR platforms for data-driven enterprises. It can be used to implement a holistic ransomware detection and prevention strategy to protect your data on Qumulo file storage and other critical assets for business continuity and disaster recovery.

Qumulo Recover Q: Disaster recovery solution to help guard against ransomware

Qumulo Audit logs can be used via syslog with any SIEM solution for detection.

Qumulo Recover QWe also offer Qumulo Recover Q—a flexible cloud disaster recovery solution that fits into any existing business continuity strategy. Using Recover Q in the cloud can help optimize your company’s spending for business continuity by reducing on-premises costs in favor of an on demand, cloud-native service. Active protection features help ensure data safety and integrity, while built-in snapshot and cloud replication features add layers of defense against real-world threats that could compromise your data or operations.

Qumulo on Azure as a Service, for instance, includes built-in role-based access control for all users, activity auditing for all users and files, and encryption of data at rest coupled with Azure’s Security services to help you repel external threats. In our video below, you can see how Qumulo on Azure makes cloud file services simple and can help keep your data safe with disaster recovery capabilities including continuous replication, erasure coding, snapshots, and automatic failover.

How Qumulo on Azure Makes Cloud File Services Simple

How Qumulo on Azure Makes Cloud File Services Simple

Find out how Qumulo has simplified cloud file storage with its new as a Service filesystem on Azure.

Watch video

Further Reading

Take a look at our two white papers (below) to learn more about ransomware detection with Qumulo audit data and SIEM platforms, and the built-in data services (Qumulo Protect and Qumulo Secure) that come standard with your Qumulo software subscription.

Like what you see?

Contact us to book a demo or arrange a meeting. You can even test drive a fully functional Qumulo environment right from your browser.

Share this post