Contrast Probes

Back


Id	297596de-d9ae-4fb8-b6ff-00fc01c9462d
Rulename	Contrast Probes
Description	Creates Incidents for Probed events sourced from the Contrast Protect agent.
Severity	Informational
Tactics	InitialAccess Exfiltration
Techniques	T1566
Required data connectors	CefAma ContrastProtect ContrastProtectAma
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	10
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast Protect/Analytic Rules/ContrastProbes.yaml
Version	1.0.2
Arm template	297596de-d9ae-4fb8-b6ff-00fc01c9462d.json

KQL

let extract_data=(a:string, k:string) {
  parse_urlquery(replace(@';', @'&', a))["Query Parameters"][k]
};

CommonSecurityLog 
| where DeviceVendor == "Contrast Security"
| where AdditionalExtensions contains "PROBED" or AdditionalExtensions contains "INEFFECTIVE"
| extend DeviceProduct
| extend SourceIP
| extend DeviceVersion
| extend Activity
| extend ApplicationProtocol
| extend RequestURL
| extend RequestMethod
| extend Rule = extract_data(AdditionalExtensions, 'pri')

YAML

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast Protect/Analytic Rules/ContrastProbes.yaml
queryPeriod: 5m
description: |
    'Creates Incidents for Probed events sourced from the Contrast Protect agent.'
triggerThreshold: 10
name: Contrast Probes
triggerOperator: gt
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIP
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: RequestURL
- entityType: CloudApplication
  fieldMappings:
  - identifier: Name
    columnName: ApplicationProtocol
- entityType: Malware
  fieldMappings:
  - identifier: Name
    columnName: Activity
  - identifier: Category
    columnName: Rule
kind: Scheduled
requiredDataConnectors:
- connectorId: ContrastProtect
  dataTypes:
  - CommonSecurityLog
- connectorId: ContrastProtectAma
  dataTypes:
  - CommonSecurityLog
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
customDetails:
  Attack: Activity
  Agent: DeviceProduct
  Application: ApplicationProtocol
  Details: AdditionalExtensions
  AgentVersion: DeviceVersion
queryFrequency: 5m
tactics:
- InitialAccess
- Exfiltration
id: 297596de-d9ae-4fb8-b6ff-00fc01c9462d
status: Available
version: 1.0.2
query: |
  let extract_data=(a:string, k:string) {
    parse_urlquery(replace(@';', @'&', a))["Query Parameters"][k]
  };

  CommonSecurityLog 
  | where DeviceVendor == "Contrast Security"
  | where AdditionalExtensions contains "PROBED" or AdditionalExtensions contains "INEFFECTIVE"
  | extend DeviceProduct
  | extend SourceIP
  | extend DeviceVersion
  | extend Activity
  | extend ApplicationProtocol
  | extend RequestURL
  | extend RequestMethod
  | extend Rule = extract_data(AdditionalExtensions, 'pri')  
severity: Informational
relevantTechniques:
- T1566

ARM