Contrast ADR - Exploited Attack in Production

Back


Id	31417149-f3a2-4db4-9e5f-85e0a464f6a1
Rulename	Contrast ADR - Exploited Attack in Production
Description	Detects successful exploitation of security vulnerabilities in production environments as identified by Contrast ADR. This rule triggers on confirmed exploited attacks in production systems, requiring immediate incident response and remediation.
Severity	High
Tactics	InitialAccess Execution DefenseEvasion LateralMovement CommandAndControl
Techniques	T1190 T1059 T1055 T1210 T1008
Required data connectors	ContrastADR
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event_in_Production.yaml
Version	1.0.0
Arm template	31417149-f3a2-4db4-9e5f-85e0a464f6a1.json

KQL

ContrastADR_CL
| where result_s =~ "exploited" and environment_s =~ "production"

YAML

triggerOperator: gt
description: |
    'Detects successful exploitation of security vulnerabilities in production environments as identified by Contrast ADR. This rule triggers on confirmed exploited attacks in production systems, requiring immediate incident response and remediation.'
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    groupByEntities:
    - IP
    - Host
    matchingMethod: Selected
    reopenClosedIncident: false
    enabled: true
    lookbackDuration: PT30M
status: Available
requiredDataConnectors:
- dataTypes:
  - ContrastADR_CL
  connectorId: ContrastADR
kind: Scheduled
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 5m
id: 31417149-f3a2-4db4-9e5f-85e0a464f6a1
query: |
  ContrastADR_CL
  | where result_s =~ "exploited" and environment_s =~ "production"  
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: SourceIP
  entityType: IP
- fieldMappings:
  - identifier: HostName
    columnName: host_hostname_s
  entityType: Host
name: Contrast ADR - Exploited Attack in Production
severity: High
alertDetailsOverride:
  alertDisplayNameFormat: '{{result_s}} {{rule_s}} from {{SourceIP}} in Production'
  alertDescriptionFormat: '{{result_s}}  on {{request_headers_referer_s}}  endpoint of {{application_name_s}} '
queryPeriod: 5m
version: 1.0.0
relevantTechniques:
- T1190
- T1059
- T1055
- T1210
- T1008
triggerThreshold: 0
tactics:
- InitialAccess
- Execution
- DefenseEvasion
- LateralMovement
- CommandAndControl
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event_in_Production.yaml

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/31417149-f3a2-4db4-9e5f-85e0a464f6a1')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/31417149-f3a2-4db4-9e5f-85e0a464f6a1')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{result_s}}  on {{request_headers_referer_s}}  endpoint of {{application_name_s}} ",
          "alertDisplayNameFormat": "{{result_s}} {{rule_s}} from {{SourceIP}} in Production"
        },
        "alertRuleTemplateName": "31417149-f3a2-4db4-9e5f-85e0a464f6a1",
        "customDetails": null,
        "description": "'Detects successful exploitation of security vulnerabilities in production environments as identified by Contrast ADR. This rule triggers on confirmed exploited attacks in production systems, requiring immediate incident response and remediation.'\n",
        "displayName": "Contrast ADR - Exploited Attack in Production",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "host_hostname_s",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByEntities": [
              "IP",
              "Host"
            ],
            "lookbackDuration": "PT30M",
            "matchingMethod": "Selected",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event_in_Production.yaml",
        "query": "ContrastADR_CL\n| where result_s =~ \"exploited\" and environment_s =~ \"production\"\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "DefenseEvasion",
          "Execution",
          "InitialAccess",
          "LateralMovement"
        ],
        "techniques": [
          "T1008",
          "T1055",
          "T1059",
          "T1190",
          "T1210"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}