Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Contrast Probes

Contrast Probes

Back
Id297596de-d9ae-4fb8-b6ff-00fc01c9462d
RulenameContrast Probes
DescriptionCreates Incidents for Probed events sourced from the Contrast Protect agent.
SeverityInformational
TacticsInitialAccess
Exfiltration
TechniquesT1566
Required data connectorsCefAma
ContrastProtect
ContrastProtectAma
KindScheduled
Query frequency5m
Query period5m
Trigger threshold10
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast Protect/Analytic Rules/ContrastProbes.yaml
Version1.0.2
Arm template297596de-d9ae-4fb8-b6ff-00fc01c9462d.json
Deploy To Azure
let extract_data=(a:string, k:string) {
  parse_urlquery(replace(@';', @'&', a))["Query Parameters"][k]
};

CommonSecurityLog 
| where DeviceVendor == "Contrast Security"
| where AdditionalExtensions contains "PROBED" or AdditionalExtensions contains "INEFFECTIVE"
| extend DeviceProduct
| extend SourceIP
| extend DeviceVersion
| extend Activity
| extend ApplicationProtocol
| extend RequestURL
| extend RequestMethod
| extend Rule = extract_data(AdditionalExtensions, 'pri')

description: |
    'Creates Incidents for Probed events sourced from the Contrast Protect agent.'
version: 1.0.2
triggerThreshold: 10
tactics:
- InitialAccess
- Exfiltration
queryPeriod: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast Protect/Analytic Rules/ContrastProbes.yaml
entityMappings:
- fieldMappings:
  - columnName: SourceIP
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: RequestURL
    identifier: Url
  entityType: URL
- fieldMappings:
  - columnName: ApplicationProtocol
    identifier: Name
  entityType: CloudApplication
- fieldMappings:
  - columnName: Activity
    identifier: Name
  - columnName: Rule
    identifier: Category
  entityType: Malware
triggerOperator: gt
status: Available
id: 297596de-d9ae-4fb8-b6ff-00fc01c9462d
name: Contrast Probes
queryFrequency: 5m
severity: Informational
kind: Scheduled
customDetails:
  Details: AdditionalExtensions
  AgentVersion: DeviceVersion
  Agent: DeviceProduct
  Attack: Activity
  Application: ApplicationProtocol
relevantTechniques:
- T1566
query: |
  let extract_data=(a:string, k:string) {
    parse_urlquery(replace(@';', @'&', a))["Query Parameters"][k]
  };

  CommonSecurityLog 
  | where DeviceVendor == "Contrast Security"
  | where AdditionalExtensions contains "PROBED" or AdditionalExtensions contains "INEFFECTIVE"
  | extend DeviceProduct
  | extend SourceIP
  | extend DeviceVersion
  | extend Activity
  | extend ApplicationProtocol
  | extend RequestURL
  | extend RequestMethod
  | extend Rule = extract_data(AdditionalExtensions, 'pri')  
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: ContrastProtect
- dataTypes:
  - CommonSecurityLog
  connectorId: ContrastProtectAma
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma