Alert on ransomware attack detected by Endpoint Security

This topic describes an automation that alerts when a ransomware attack is detected and outlines supported products, parameters, triggers, and workflow.

The automation notifies upon detection of ransomware attack. The notification includes information on the number of events and number of affected devices. Automation parameters can be set such as the affected devices threshold and total events threshold.

Supported Product

Endpoint Security

Parameters

Count events in time duration

Set the duration of time in which to count the events.

Threshold (minimum number of events)

Set the minimum number of events for the automation to be triggered.

Threshold (minimum number of devices)

Set the minimum number of devices affected for the automation to be triggered.

Severity (Minimum)

Set the minimum severity.

Attack Status

Set the attack status.

Notification profile

Set the notification profile.

Trigger

When a ransomware attack is detected by Endpoint Security.

To view the example of this log, click ../running-automation/running-the-automation.dita.

Flow