New resubmit of version 3.0.1 #11615
Open
+916
−613
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes:
Added six new analytic rule templates to the CTERA Sentinel Solution:
RansomwareUserBlocked.yaml: Detects malicious users blocked by the CTERA Ransom Protect AI engine.
RansomwareDetected.yaml: Identifies ransomware attacks detected by the CTERA Ransom Protect AI engine.
MassDeletions.yaml: Monitors and flags mass file deletion events.
MassPermissionsChange.yaml: Detects large-scale permissions changes in files or folders.
MassAccessDenied.yaml: Flags excessive access denied events.
InfectedFileDetected.yaml: Detects infected files identified by the CTERA platform.
Updated createUiDefinition.json to reflect the addition of six analytic rules in the solution description and configuration steps.
Refined analytics rule descriptions for clarity and accuracy.
Reason for Change(s):
To enhance the CTERA Sentinel Solution with additional analytic capabilities, covering diverse scenarios such as ransomware detection, user blocking, mass file operations, and file infections.
Ensures alignment with Microsoft Sentinel best practices for analytic rules and solution design.
Version Updated:
Yes
Updated the version field for all six analytic rules to reflect the changes in this submission.
Testing Completed:
Tested all YAML files in a standalone Microsoft Sentinel environment without custom parsers or dependencies.
Validated successful execution of analytic rules, ensuring accurate detection and alert generation.
Tested createUiDefinition.json updates in the deployment interface for correct rendering and functionality.
Validations:
Ensured all validations are passing.
Addressed any flagged issues during local testing and validation.
Additional Notes:
Contributions adhere to Microsoft Sentinel guidelines for analytic rule structure and functionality.
Assistance is available if any further refinements are required.