Contrast Probes

Back


Id	297596de-d9ae-4fb8-b6ff-00fc01c9462d
Rulename	Contrast Probes
Description	Creates Incidents for Probed events sourced from the Contrast Protect agent.
Severity	Informational
Tactics	InitialAccess Exfiltration
Techniques	T1566
Required data connectors	ContrastProtect
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	10
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast Protect/Analytic Rules/ContrastProbes.yaml
Version	1.0.0
Arm template	297596de-d9ae-4fb8-b6ff-00fc01c9462d.json

KQL

let extract_data=(a:string, k:string) {
  parse_urlquery(replace(@';', @'&', a))["Query Parameters"][k]
};

CommonSecurityLog 
| where DeviceVendor == "Contrast Security"
| where AdditionalExtensions contains "PROBED" or AdditionalExtensions contains "INEFFECTIVE"
| extend DeviceProduct
| extend SourceIP
| extend DeviceVersion
| extend Activity
| extend ApplicationProtocol
| extend RequestURL
| extend RequestMethod
| extend Rule = extract_data(AdditionalExtensions, 'pri')

YAML

queryPeriod: 5m
version: 1.0.0
customDetails:
  Application: ApplicationProtocol
  Details: AdditionalExtensions
  Attack: Activity
  AgentVersion: DeviceVersion
  Agent: DeviceProduct
relevantTechniques:
- T1566
queryFrequency: 5m
kind: Scheduled
name: Contrast Probes
id: 297596de-d9ae-4fb8-b6ff-00fc01c9462d
entityMappings:
- fieldMappings:
  - columnName: SourceIP
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: RequestURL
    identifier: Url
  entityType: URL
- fieldMappings:
  - columnName: ApplicationProtocol
    identifier: Name
  entityType: CloudApplication
- fieldMappings:
  - columnName: Activity
    identifier: Name
  - columnName: Rule
    identifier: Category
  entityType: Malware
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast Protect/Analytic Rules/ContrastProbes.yaml
severity: Informational
query: |
  let extract_data=(a:string, k:string) {
    parse_urlquery(replace(@';', @'&', a))["Query Parameters"][k]
  };

  CommonSecurityLog 
  | where DeviceVendor == "Contrast Security"
  | where AdditionalExtensions contains "PROBED" or AdditionalExtensions contains "INEFFECTIVE"
  | extend DeviceProduct
  | extend SourceIP
  | extend DeviceVersion
  | extend Activity
  | extend ApplicationProtocol
  | extend RequestURL
  | extend RequestMethod
  | extend Rule = extract_data(AdditionalExtensions, 'pri')  
tactics:
- InitialAccess
- Exfiltration
description: |
    'Creates Incidents for Probed events sourced from the Contrast Protect agent.'
requiredDataConnectors:
- connectorId: ContrastProtect
  dataTypes:
  - CommonSecurityLog
status: Available
triggerThreshold: 10
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/297596de-d9ae-4fb8-b6ff-00fc01c9462d')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/297596de-d9ae-4fb8-b6ff-00fc01c9462d')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Contrast Probes",
        "description": "'Creates Incidents for Probed events sourced from the Contrast Protect agent.'\n",
        "severity": "Informational",
        "enabled": true,
        "query": "let extract_data=(a:string, k:string) {\n  parse_urlquery(replace(@';', @'&', a))[\"Query Parameters\"][k]\n};\n\nCommonSecurityLog \n| where DeviceVendor == \"Contrast Security\"\n| where AdditionalExtensions contains \"PROBED\" or AdditionalExtensions contains \"INEFFECTIVE\"\n| extend DeviceProduct\n| extend SourceIP\n| extend DeviceVersion\n| extend Activity\n| extend ApplicationProtocol\n| extend RequestURL\n| extend RequestMethod\n| extend Rule = extract_data(AdditionalExtensions, 'pri')\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 10,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess",
          "Exfiltration"
        ],
        "techniques": [
          "T1566"
        ],
        "alertRuleTemplateName": "297596de-d9ae-4fb8-b6ff-00fc01c9462d",
        "customDetails": {
          "AgentVersion": "DeviceVersion",
          "Attack": "Activity",
          "Details": "AdditionalExtensions",
          "Application": "ApplicationProtocol",
          "Agent": "DeviceProduct"
        },
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "SourceIP"
              }
            ],
            "entityType": "IP"
          },
          {
            "fieldMappings": [
              {
                "identifier": "Url",
                "columnName": "RequestURL"
              }
            ],
            "entityType": "URL"
          },
          {
            "fieldMappings": [
              {
                "identifier": "Name",
                "columnName": "ApplicationProtocol"
              }
            ],
            "entityType": "CloudApplication"
          },
          {
            "fieldMappings": [
              {
                "identifier": "Name",
                "columnName": "Activity"
              },
              {
                "identifier": "Category",
                "columnName": "Rule"
              }
            ],
            "entityType": "Malware"
          }
        ],
        "status": "Available",
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast Protect/Analytic Rules/ContrastProbes.yaml"
      }
    }
  ]
}