Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Contrast ADR - Exploited Attack in Production

Contrast ADR - Exploited Attack in Production

Back
Id31417149-f3a2-4db4-9e5f-85e0a464f6a1
RulenameContrast ADR - Exploited Attack in Production
DescriptionDetects successful exploitation of security vulnerabilities in production environments as identified by Contrast ADR. This rule triggers on confirmed exploited attacks in production systems, requiring immediate incident response and remediation.
SeverityHigh
TacticsInitialAccess
Execution
DefenseEvasion
LateralMovement
CommandAndControl
TechniquesT1190
T1059
T1055
T1210
T1008
Required data connectorsContrastADRCCF
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event_in_Production.yaml
Version1.0.1
Arm template31417149-f3a2-4db4-9e5f-85e0a464f6a1.json
Deploy To Azure
ContrastADRAttackEvents_CL
| where result =~ "exploited" and environment =~ "production"

relevantTechniques:
- T1190
- T1059
- T1055
- T1210
- T1008
name: Contrast ADR - Exploited Attack in Production
version: 1.0.1
entityMappings:
- fieldMappings:
  - columnName: sourceIp
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: host_hostname
    identifier: HostName
  entityType: Host
triggerThreshold: 0
alertDetailsOverride:
  alertDisplayNameFormat: '{{result}} {{rule}} from {{sourceIp}} in Production'
  alertDescriptionFormat: '{{result}}  on {{request_headers_referer}}  endpoint of {{application_name}} '
kind: Scheduled
queryFrequency: 5m
description: |
    'Detects successful exploitation of security vulnerabilities in production environments as identified by Contrast ADR. This rule triggers on confirmed exploited attacks in production systems, requiring immediate incident response and remediation.'
queryPeriod: 5m
id: 31417149-f3a2-4db4-9e5f-85e0a464f6a1
requiredDataConnectors:
- connectorId: ContrastADRCCF
  dataTypes:
  - ContrastADRAttackEvents_CL
tactics:
- InitialAccess
- Execution
- DefenseEvasion
- LateralMovement
- CommandAndControl
severity: High
status: Available
eventGroupingSettings:
  aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event_in_Production.yaml
query: |
  ContrastADRAttackEvents_CL
  | where result =~ "exploited" and environment =~ "production"  
triggerOperator: gt
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    groupByEntities:
    - IP
    - Host
    reopenClosedIncident: false
    enabled: true
    matchingMethod: Selected
    lookbackDuration: PT30M