Contrast ADR - Exploited Attack in Production
| Id | 31417149-f3a2-4db4-9e5f-85e0a464f6a1 |
| Rulename | Contrast ADR - Exploited Attack in Production |
| Description | Detects successful exploitation of security vulnerabilities in production environments as identified by Contrast ADR. This rule triggers on confirmed exploited attacks in production systems, requiring immediate incident response and remediation. |
| Severity | High |
| Tactics | InitialAccess Execution DefenseEvasion LateralMovement CommandAndControl |
| Techniques | T1190 T1059 T1055 T1210 T1008 |
| Required data connectors | ContrastADR |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event_in_Production.yaml |
| Version | 1.0.0 |
| Arm template | 31417149-f3a2-4db4-9e5f-85e0a464f6a1.json |
ContrastADR_CL
| where result_s =~ "exploited" and environment_s =~ "production"
kind: Scheduled
eventGroupingSettings:
aggregationKind: AlertPerResult
alertDetailsOverride:
alertDisplayNameFormat: '{{result_s}} {{rule_s}} from {{SourceIP}} in Production'
alertDescriptionFormat: '{{result_s}} on {{request_headers_referer_s}} endpoint of {{application_name_s}} '
entityMappings:
- entityType: IP
fieldMappings:
- columnName: SourceIP
identifier: Address
- entityType: Host
fieldMappings:
- columnName: host_hostname_s
identifier: HostName
description: |
'Detects successful exploitation of security vulnerabilities in production environments as identified by Contrast ADR. This rule triggers on confirmed exploited attacks in production systems, requiring immediate incident response and remediation.'
severity: High
queryFrequency: 5m
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
lookbackDuration: PT30M
matchingMethod: Selected
enabled: true
groupByEntities:
- IP
- Host
createIncident: true
triggerThreshold: 0
relevantTechniques:
- T1190
- T1059
- T1055
- T1210
- T1008
status: Available
tactics:
- InitialAccess
- Execution
- DefenseEvasion
- LateralMovement
- CommandAndControl
name: Contrast ADR - Exploited Attack in Production
id: 31417149-f3a2-4db4-9e5f-85e0a464f6a1
query: |
ContrastADR_CL
| where result_s =~ "exploited" and environment_s =~ "production"
requiredDataConnectors:
- dataTypes:
- ContrastADR_CL
connectorId: ContrastADR
version: 1.0.0
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event_in_Production.yaml
queryPeriod: 5m
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/31417149-f3a2-4db4-9e5f-85e0a464f6a1')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/31417149-f3a2-4db4-9e5f-85e0a464f6a1')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{result_s}} on {{request_headers_referer_s}} endpoint of {{application_name_s}} ",
"alertDisplayNameFormat": "{{result_s}} {{rule_s}} from {{SourceIP}} in Production"
},
"alertRuleTemplateName": "31417149-f3a2-4db4-9e5f-85e0a464f6a1",
"customDetails": null,
"description": "'Detects successful exploitation of security vulnerabilities in production environments as identified by Contrast ADR. This rule triggers on confirmed exploited attacks in production systems, requiring immediate incident response and remediation.'\n",
"displayName": "Contrast ADR - Exploited Attack in Production",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIP",
"identifier": "Address"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "host_hostname_s",
"identifier": "HostName"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"groupByEntities": [
"IP",
"Host"
],
"lookbackDuration": "PT30M",
"matchingMethod": "Selected",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event_in_Production.yaml",
"query": "ContrastADR_CL\n| where result_s =~ \"exploited\" and environment_s =~ \"production\"\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"DefenseEvasion",
"Execution",
"InitialAccess",
"LateralMovement"
],
"techniques": [
"T1008",
"T1055",
"T1059",
"T1190",
"T1210"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}