Using CTERA Sentinel

  • 3 minute(s) read
Prev Next

Accessing and Enabling CTERA Sentinel Tools

  1. In Microsoft Azure, access Microsoft Sentinel and select the required Log Analytics Worskpace.
  2. The Overview (Preview) screen is displayed.
    image.png
    From here, you can access, view and manage:
    • Workbooks
    • Analytics
    • Hunting

Enabling the CTERA Workbook

Workbooks enable you to visualize and monitor your data to know what’s happening across all your connected data sources.

To enable the CTERA Sentinel Workbook:

  1. In Microsoft Sentinel, select the required Log Analytics Workspace.
    The Overview (Preview) screen is displayed.
  2. Select Workbooks.
    The Workbook screen is displayed.
    image.png
  3. Click Templates to view CTERA Workbook templates.
    A list of templates is displayed.
    image.png
  4. Select CTERA Audit Logs Ingestion.
    This workbook provides an overview of CTERA log ingestion and operations, offering insights into various activities and potential security incidents.
  5. Click Save and then select the location where you want to save the workbook.
    image.png

Enabling Analytics Rules

To enable Analytics rules:

  1. In Microsoft Sentinel, select the required Log Analytics Workspace.
    The Overview (Preview) screen is displayed.
  2. Select Analytics listed under Configuration.
    The Analytics screen is displayed, showing active rules, templates, and anomalies.
    image.png
  3. Click Rule templates.
    A list of analytics rules is displayed.
    Note

    Analytics rules in CTERA Sentinel:

    • Ransomware Detection
    • Ransomware User Blocked
    • Ransom Mass Access Denied Detection
    • Ransom Mass Deletions Detection
    • Ransom Mass Permission Changes Detection
    • Antivirus Detected an Infected File
  4. Search for CTERA in the search box of the Analytics Rule Templates.
    image.png
    An Analytics rule wizard screen is displayed that enables you to create a new scheduled rule.
  5. Complete the fields as follows:
    Severity – Select High, Medium, Low, or Informational.
    MITRE Attack – Leave the default.
    Status – Leave the Enabled default.
    image.png
  6. Click Next: Set rule logic.
    Options to define the logic for your new analytics rule are displayed.
    image.png
  7. Click Next: Incident settings.
    An Incident settings screen is displayed with the following options:
    Incident settings – Enables creating incidents from alerts.
    Alert groupings – Enables grouping related alerts.
    image.png
  8. Click Next: Automated response.
    The Automation rules screen is displayed, enabling viewing of all automation rules and creating new automation rules.
    image.png
  9. Click Next: Review + Create and then Save.
    image.png
    The analytics rule is now enabled and active.
  10. Repeat the same steps to enable the Ransom Protect User Blocked rule.
Note

Analytics rules can be edited.

To edit active Analytics rules:

  1. Click Active rules.
  2. Select the relevant analytics rule and click Edit.

Screens are displayed with options to enable editing in each of the steps where analytics rule details were previously defined.

Enabling Hunting

Hunting enables the active search for unusual behaviors or threats across your environment by running specific queries.

To run a hunt:

  1. In Microsoft Sentinel, select the required Log Analytics Workspace.
    The Overview (Preview) screen is displayed.
  2. Select Hunting listed under Threat management.
    image.png
    The Hunting screen is displayed.
  3. Click Queries.
    A list of hunting queries are displayed.
    These include the following hunts, which are currently in CTERA Sentinel:
    CTERA Access Denied Detection – Tracks when a lot of access attempts are being blocked.
    CTERA Batch Permission Changes Detection – Monitors for any unusual modifications to file and folder permissions.
    CTERA Batch Deletions Detection – Scans for large-scale file deletions that could signal a problem.
  4. Select the relevant hunt queries and click Run selected queries.
    image.png
  5. To view query results, select one hunting query at a time and click View results.
    image.png

To enable a hunt to run automatically:

  1. In Microsoft Sentinel, select the required Log Analytics Workspace.
    The Overview (Preview) screen is displayed.
  2. Select Hunting listed under Threat management.
    The Hunting screen is displayed.
  3. Click Queries.
    The list of hunting queries is displayed.
    image.png
  4. Either click the blue star next to the hunt or right-click the hunt and select favorite
  5. Specify the time range that the query will run.
    image.png
  6. Click Run.
Note

Hunts are based on the latest data received while logged on.