Contrast ADR - Exploited Attack in Production
| Id | 31417149-f3a2-4db4-9e5f-85e0a464f6a1 |
| Rulename | Contrast ADR - Exploited Attack in Production |
| Description | Detects successful exploitation of security vulnerabilities in production environments as identified by Contrast ADR. This rule triggers on confirmed exploited attacks in production systems, requiring immediate incident response and remediation. |
| Severity | High |
| Tactics | InitialAccess Execution DefenseEvasion LateralMovement CommandAndControl |
| Techniques | T1190 T1059 T1055 T1210 T1008 |
| Required data connectors | ContrastADR |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event_in_Production.yaml |
| Version | 1.0.0 |
| Arm template | 31417149-f3a2-4db4-9e5f-85e0a464f6a1.json |
ContrastADR_CL
| where result_s =~ "exploited" and environment_s =~ "production"
name: Contrast ADR - Exploited Attack in Production
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event_in_Production.yaml
queryPeriod: 5m
version: 1.0.0
severity: High
id: 31417149-f3a2-4db4-9e5f-85e0a464f6a1
triggerOperator: gt
triggerThreshold: 0
kind: Scheduled
incidentConfiguration:
createIncident: true
groupingConfiguration:
reopenClosedIncident: false
groupByEntities:
- IP
- Host
lookbackDuration: PT30M
enabled: true
matchingMethod: Selected
requiredDataConnectors:
- dataTypes:
- ContrastADR_CL
connectorId: ContrastADR
eventGroupingSettings:
aggregationKind: AlertPerResult
relevantTechniques:
- T1190
- T1059
- T1055
- T1210
- T1008
description: |
'Detects successful exploitation of security vulnerabilities in production environments as identified by Contrast ADR. This rule triggers on confirmed exploited attacks in production systems, requiring immediate incident response and remediation.'
alertDetailsOverride:
alertDescriptionFormat: '{{result_s}} on {{request_headers_referer_s}} endpoint of {{application_name_s}} '
alertDisplayNameFormat: '{{result_s}} {{rule_s}} from {{SourceIP}} in Production'
query: |
ContrastADR_CL
| where result_s =~ "exploited" and environment_s =~ "production"
tactics:
- InitialAccess
- Execution
- DefenseEvasion
- LateralMovement
- CommandAndControl
entityMappings:
- entityType: IP
fieldMappings:
- columnName: SourceIP
identifier: Address
- entityType: Host
fieldMappings:
- columnName: host_hostname_s
identifier: HostName
status: Available
queryFrequency: 5m
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/31417149-f3a2-4db4-9e5f-85e0a464f6a1')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/31417149-f3a2-4db4-9e5f-85e0a464f6a1')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{result_s}} on {{request_headers_referer_s}} endpoint of {{application_name_s}} ",
"alertDisplayNameFormat": "{{result_s}} {{rule_s}} from {{SourceIP}} in Production"
},
"alertRuleTemplateName": "31417149-f3a2-4db4-9e5f-85e0a464f6a1",
"customDetails": null,
"description": "'Detects successful exploitation of security vulnerabilities in production environments as identified by Contrast ADR. This rule triggers on confirmed exploited attacks in production systems, requiring immediate incident response and remediation.'\n",
"displayName": "Contrast ADR - Exploited Attack in Production",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIP",
"identifier": "Address"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "host_hostname_s",
"identifier": "HostName"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"groupByEntities": [
"IP",
"Host"
],
"lookbackDuration": "PT30M",
"matchingMethod": "Selected",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event_in_Production.yaml",
"query": "ContrastADR_CL\n| where result_s =~ \"exploited\" and environment_s =~ \"production\"\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"DefenseEvasion",
"Execution",
"InitialAccess",
"LateralMovement"
],
"techniques": [
"T1008",
"T1055",
"T1059",
"T1190",
"T1210"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}