This is the final story in our 4-part Ransomware Detection series in which we explore how to analyze and protect your Qumulo data with Azure Sentinel. In parts 1, 2, and 3 we examined how to detect ransomware access patterns, outlined two more methods to detect ransomware with data correlation, and then offered an overview for detecting ransomware using external Threat Intelligence data to support data correlation. In our final entry in this series, we’ll show how to automate these detection queries in Azure Sentinel for proactive data security.
Previously in this series, we’ve written about how to run queries to detect ransomware and other suspicious activities. Now we’ll start to automate the ransomware detection process.
In this article, we are using analytics rules to run queries in Azure Sentinel. To do this, take the following steps:
- Fire the queries up periodically, for example every 5 minutes, to analyze and correlate data that came in during the previous 5-minute period.
- In case of a positive match(es), we create one or more incidents in Azure Sentinel and optionally assign them to an admin or data security analyst, send out alerts, and more.
- We can trigger automated responses with Playbooks based on alerts or incidents. Playbooks can include almost any serverless code that is launched as an Azure function.
How to create analytics rules to run queries in Azure Sentinel and detect ransomware threats
The following flowchart illustrates what we are implementing with analytics rules.
As a reminder, here is the query that we used to filter against our blacklist:
let timerange = 10min;
let blacklist = externaldata (FileExt: string) [h"https://sradtkeloganalytics.blob.core.windows.net/tables/unwanted_file_extensions.csv?sv=2020-04-08&st=2021-05-18T17%3A33%3A45Z&se=2025-12-31T18%3A33%3A00Z&sr=b&sp=r&sig=k3gHLkq7ip4sEDLmrVw3eDrjafEpvjzZG8zA7k6bkGU%3D"] with (ignoreFirstRecord=true);
| where EventTime >= ago(timerange)
| where FileExt1 in (blacklist)
Now let's create an analytics rule in Azure Sentinel, so that this query runs every 10 minutes.
In Azure Sentinel, select your Workspace > Analytics > Create > Schedule query rule. Then you enter the rule details such as the Name, Description and the Severity (you can ignore the tactics category at this point). You can compare the following screenshot with your analytics rules.
In the next step you enter the query and the scheduling details such as the interval and whether you want to group potential events together into a single alert.
Then you then decide whether an incident is being created automatically for alerts.
Response automation with playbooks in Azure Sentinel
Security information and event management (SIEM) and Security Operations Center (SOC) teams are typically inundated with security alerts and incidents on a regular basis, at volumes so large that available personnel are overwhelmed. This results in situations where many alerts are ignored and many incidents aren't investigated, leaving the organization vulnerable to attacks that go unnoticed.
Many, if not most, of these alerts and incidents conform to recurring patterns that can be addressed by specific and defined sets of remediation actions.
A playbook is a collection of these remediation actions that can be run from Azure Sentinel as a routine. A playbook can help automate and orchestrate your threat response in the event of ransomware detection. It can be run manually or set to run automatically in response to specific alerts or incidents, when triggered by an analytics rule or an automation rule, respectively.
Playbooks are created and applied at the subscription level, but the playbooks tab displays all the playbooks available across any selected subscriptions.
The concept of Logic Apps is beyond the scope of this article. But it is important to understand that you can run any kind of code from a playbook with a Logic Apps response to an alert or incident.
As an example, a very basic playbook would use a pre-built connector to connect to an SMTP server to fire up email as a response to an incident. The next figure is a screenshot from the Logic App designer, so that you can see how to design a basic Logic App in the Logic App Designer.
A typical automated response for a security event on a Qumulo file system would, for example, perform one or more of the following actions:
- Automatically assign an incident to an administrator or security analyst
- Send out email or SMS alerts to administrators or even the affected user(s)
- Create a ticket in ServiceNow
- Connect to the relevant Qumulo cluster and delete related files immediately or put them into quarantine
- Set a Qumulo share to read only or block access for a certain user or client
- Connect to the firewall and block certain IP addresses
- Connect to Active Directory and block a user
To learn more about playbooks and Logic Apps, please visit Automate threat response with playbooks in Azure Sentinel.
Additionally, we encourage you to read our complete threat hunting white paper for a deeper dive into ransomware detection methods and workflows with Qumulo Audit and Azure Sentinel.
Implementing a holistic ransomware detection and prevention strategy
In this ransomware detection series, we discussed Threat Hunting with Azure Sentinel for Qumulo clusters. Regardless of whether you run an on-premise Qumulo cluster, Qumulo SaaS in Azure or Qumulo in other clouds, Azure Sentinel is one of the leading SIEM and SOAR platforms for data-driven enterprises. It can be used to implement a holistic ransomware detection and prevention strategy to protect your data on Qumulo file storage and other critical assets for business continuity and disaster recovery.
Qumulo Recover Q: Disaster recovery solution to help guard against ransomware
Qumulo Audit logs can be used via syslog with any SIEM solution for detection.
We also offer Qumulo Recover Q—a flexible cloud disaster recovery solution that fits into any existing business continuity strategy. Using Recover Q in the cloud can help optimize your company’s spending for business continuity by reducing on-premises costs in favor of an on demand, cloud-native service. Active protection features help ensure data safety and integrity, while built-in snapshot and cloud replication features add layers of defense against real-world threats that could compromise your data or operations.
Qumulo on Azure as a Service, for instance, includes built-in role-based access control for all users, activity auditing for all users and files, and encryption of data at rest coupled with Azure’s Security services to help you repel external threats. In our video below, you can see how Qumulo on Azure makes cloud file services simple and can help keep your data safe with disaster recovery capabilities including continuous replication, erasure coding, snapshots, and automatic failover.
How Qumulo on Azure Makes Cloud File Services Simple
Find out how Qumulo has simplified cloud file storage with its new as a Service filesystem on Azure.Watch video
Take a look at our two white papers (below) to learn more about ransomware detection with Qumulo audit data and SIEM platforms, and the built-in data services (Qumulo Protect and Qumulo Secure) that come standard with your Qumulo software subscription.
- Security Architecture and Best Practices to Counter Malware
- Threat Hunting with Qumulo Audit and Azure Sentinel
Like what you see?
Dr. Stefan Radtke, Field CTO EMEA, has spent his career working in technology and is the principal evangelist of universal-scale storage for Qumulo. He started as employee #1 in EMEA in 2017 as Technical Director where he built a fantastic multi-national technical team. Recently he took over the role of the Field CTO and he is now focusing on building a strong technical team for Cloud Q. He’s a certified AWS Solution Architect Professional and Azure Solution Architect Expert.