Contrast ADR - Exploited Attack in Production
| Id | 31417149-f3a2-4db4-9e5f-85e0a464f6a1 |
| Rulename | Contrast ADR - Exploited Attack in Production |
| Description | Detects successful exploitation of security vulnerabilities in production environments as identified by Contrast ADR. This rule triggers on confirmed exploited attacks in production systems, requiring immediate incident response and remediation. |
| Severity | High |
| Tactics | InitialAccess Execution DefenseEvasion LateralMovement CommandAndControl |
| Techniques | T1190 T1059 T1055 T1210 T1008 |
| Required data connectors | ContrastADRCCF |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event_in_Production.yaml |
| Version | 1.0.1 |
| Arm template | 31417149-f3a2-4db4-9e5f-85e0a464f6a1.json |
ContrastADRAttackEvents_CL
| where result =~ "exploited" and environment =~ "production"
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: sourceIp
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: host_hostname
tactics:
- InitialAccess
- Execution
- DefenseEvasion
- LateralMovement
- CommandAndControl
requiredDataConnectors:
- dataTypes:
- ContrastADRAttackEvents_CL
connectorId: ContrastADRCCF
alertDetailsOverride:
alertDisplayNameFormat: '{{result}} {{rule}} from {{sourceIp}} in Production'
alertDescriptionFormat: '{{result}} on {{request_headers_referer}} endpoint of {{application_name}} '
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
lookbackDuration: PT30M
groupByEntities:
- IP
- Host
enabled: true
matchingMethod: Selected
createIncident: true
id: 31417149-f3a2-4db4-9e5f-85e0a464f6a1
severity: High
eventGroupingSettings:
aggregationKind: AlertPerResult
status: Available
query: |
ContrastADRAttackEvents_CL
| where result =~ "exploited" and environment =~ "production"
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event_in_Production.yaml
kind: Scheduled
queryPeriod: 5m
version: 1.0.1
name: Contrast ADR - Exploited Attack in Production
queryFrequency: 5m
triggerThreshold: 0
relevantTechniques:
- T1190
- T1059
- T1055
- T1210
- T1008
description: |
'Detects successful exploitation of security vulnerabilities in production environments as identified by Contrast ADR. This rule triggers on confirmed exploited attacks in production systems, requiring immediate incident response and remediation.'
triggerOperator: gt