Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Contrast Probes

Back
Id297596de-d9ae-4fb8-b6ff-00fc01c9462d
RulenameContrast Probes
DescriptionCreates Incidents for Probed events sourced from the Contrast Protect agent.
SeverityInformational
TacticsInitialAccess
Exfiltration
TechniquesT1566
Required data connectorsContrastProtect
ContrastProtectAma
KindScheduled
Query frequency5m
Query period5m
Trigger threshold10
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast Protect/Analytic Rules/ContrastProbes.yaml
Version1.0.1
Arm template297596de-d9ae-4fb8-b6ff-00fc01c9462d.json
Deploy To Azure
let extract_data=(a:string, k:string) {
  parse_urlquery(replace(@';', @'&', a))["Query Parameters"][k]
};

CommonSecurityLog 
| where DeviceVendor == "Contrast Security"
| where AdditionalExtensions contains "PROBED" or AdditionalExtensions contains "INEFFECTIVE"
| extend DeviceProduct
| extend SourceIP
| extend DeviceVersion
| extend Activity
| extend ApplicationProtocol
| extend RequestURL
| extend RequestMethod
| extend Rule = extract_data(AdditionalExtensions, 'pri')
requiredDataConnectors:
- connectorId: ContrastProtect
  dataTypes:
  - CommonSecurityLog
- connectorId: ContrastProtectAma
  dataTypes:
  - CommonSecurityLog
triggerOperator: gt
queryFrequency: 5m
name: Contrast Probes
queryPeriod: 5m
id: 297596de-d9ae-4fb8-b6ff-00fc01c9462d
description: |
    'Creates Incidents for Probed events sourced from the Contrast Protect agent.'
severity: Informational
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast Protect/Analytic Rules/ContrastProbes.yaml
query: |
  let extract_data=(a:string, k:string) {
    parse_urlquery(replace(@';', @'&', a))["Query Parameters"][k]
  };

  CommonSecurityLog 
  | where DeviceVendor == "Contrast Security"
  | where AdditionalExtensions contains "PROBED" or AdditionalExtensions contains "INEFFECTIVE"
  | extend DeviceProduct
  | extend SourceIP
  | extend DeviceVersion
  | extend Activity
  | extend ApplicationProtocol
  | extend RequestURL
  | extend RequestMethod
  | extend Rule = extract_data(AdditionalExtensions, 'pri')  
triggerThreshold: 10
version: 1.0.1
kind: Scheduled
customDetails:
  Attack: Activity
  Application: ApplicationProtocol
  Details: AdditionalExtensions
  Agent: DeviceProduct
  AgentVersion: DeviceVersion
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIP
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: RequestURL
- entityType: CloudApplication
  fieldMappings:
  - identifier: Name
    columnName: ApplicationProtocol
- entityType: Malware
  fieldMappings:
  - identifier: Name
    columnName: Activity
  - identifier: Category
    columnName: Rule
relevantTechniques:
- T1566
tactics:
- InitialAccess
- Exfiltration
status: Available
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/297596de-d9ae-4fb8-b6ff-00fc01c9462d')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/297596de-d9ae-4fb8-b6ff-00fc01c9462d')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Contrast Probes",
        "description": "'Creates Incidents for Probed events sourced from the Contrast Protect agent.'\n",
        "severity": "Informational",
        "enabled": true,
        "query": "let extract_data=(a:string, k:string) {\n  parse_urlquery(replace(@';', @'&', a))[\"Query Parameters\"][k]\n};\n\nCommonSecurityLog \n| where DeviceVendor == \"Contrast Security\"\n| where AdditionalExtensions contains \"PROBED\" or AdditionalExtensions contains \"INEFFECTIVE\"\n| extend DeviceProduct\n| extend SourceIP\n| extend DeviceVersion\n| extend Activity\n| extend ApplicationProtocol\n| extend RequestURL\n| extend RequestMethod\n| extend Rule = extract_data(AdditionalExtensions, 'pri')\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 10,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess",
          "Exfiltration"
        ],
        "techniques": [
          "T1566"
        ],
        "alertRuleTemplateName": "297596de-d9ae-4fb8-b6ff-00fc01c9462d",
        "customDetails": {
          "AgentVersion": "DeviceVersion",
          "Application": "ApplicationProtocol",
          "Details": "AdditionalExtensions",
          "Agent": "DeviceProduct",
          "Attack": "Activity"
        },
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "SourceIP"
              }
            ],
            "entityType": "IP"
          },
          {
            "fieldMappings": [
              {
                "identifier": "Url",
                "columnName": "RequestURL"
              }
            ],
            "entityType": "URL"
          },
          {
            "fieldMappings": [
              {
                "identifier": "Name",
                "columnName": "ApplicationProtocol"
              }
            ],
            "entityType": "CloudApplication"
          },
          {
            "fieldMappings": [
              {
                "identifier": "Name",
                "columnName": "Activity"
              },
              {
                "identifier": "Category",
                "columnName": "Rule"
              }
            ],
            "entityType": "Malware"
          }
        ],
        "templateVersion": "1.0.1",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast Protect/Analytic Rules/ContrastProbes.yaml",
        "status": "Available"
      }
    }
  ]
}