Contrast Blocks

Back


Id	4396f8c3-d114-4154-9f4c-048ba522ed04
Rulename	Contrast Blocks
Description	Creates Incidents for Blocked events sourced from the Contrast Protect agent.
Severity	Low
Tactics	InitialAccess Exfiltration
Techniques	T1566
Required data connectors	CefAma ContrastProtect ContrastProtectAma
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast Protect/Analytic Rules/ContrastBlocks.yaml
Version	1.0.2
Arm template	4396f8c3-d114-4154-9f4c-048ba522ed04.json

KQL

let extract_data=(a:string, k:string) {
  parse_urlquery(replace(@';', @'&', a))["Query Parameters"][k]
};

CommonSecurityLog 
| where DeviceVendor == "Contrast Security"
| where AdditionalExtensions contains "BLOCKED"
| extend DeviceProduct
| extend SourceIP
| extend DeviceVersion
| extend Activity
| extend ApplicationProtocol
| extend RequestURL
| extend RequestMethod
| extend Rule = extract_data(AdditionalExtensions, 'pri')

YAML

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast Protect/Analytic Rules/ContrastBlocks.yaml
query: |
  let extract_data=(a:string, k:string) {
    parse_urlquery(replace(@';', @'&', a))["Query Parameters"][k]
  };

  CommonSecurityLog 
  | where DeviceVendor == "Contrast Security"
  | where AdditionalExtensions contains "BLOCKED"
  | extend DeviceProduct
  | extend SourceIP
  | extend DeviceVersion
  | extend Activity
  | extend ApplicationProtocol
  | extend RequestURL
  | extend RequestMethod
  | extend Rule = extract_data(AdditionalExtensions, 'pri')  
description: |
    'Creates Incidents for Blocked events sourced from the Contrast Protect agent.'
severity: Low
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: ContrastProtect
- dataTypes:
  - CommonSecurityLog
  connectorId: ContrastProtectAma
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma
name: Contrast Blocks
triggerThreshold: 0
customDetails:
  Details: AdditionalExtensions
  Attack: Activity
  Agent: DeviceProduct
  AgentVersion: DeviceVersion
  Application: ApplicationProtocol
tactics:
- InitialAccess
- Exfiltration
version: 1.0.2
relevantTechniques:
- T1566
triggerOperator: gt
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SourceIP
    identifier: Address
- entityType: URL
  fieldMappings:
  - columnName: RequestURL
    identifier: Url
- entityType: CloudApplication
  fieldMappings:
  - columnName: ApplicationProtocol
    identifier: Name
- entityType: Malware
  fieldMappings:
  - columnName: Activity
    identifier: Name
  - columnName: Rule
    identifier: Category
id: 4396f8c3-d114-4154-9f4c-048ba522ed04
status: Available
kind: Scheduled
queryFrequency: 5m
queryPeriod: 5m

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4396f8c3-d114-4154-9f4c-048ba522ed04')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4396f8c3-d114-4154-9f4c-048ba522ed04')]",
      "properties": {
        "alertRuleTemplateName": "4396f8c3-d114-4154-9f4c-048ba522ed04",
        "customDetails": {
          "Agent": "DeviceProduct",
          "AgentVersion": "DeviceVersion",
          "Application": "ApplicationProtocol",
          "Attack": "Activity",
          "Details": "AdditionalExtensions"
        },
        "description": "'Creates Incidents for Blocked events sourced from the Contrast Protect agent.'\n",
        "displayName": "Contrast Blocks",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "RequestURL",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "ApplicationProtocol",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "Malware",
            "fieldMappings": [
              {
                "columnName": "Activity",
                "identifier": "Name"
              },
              {
                "columnName": "Rule",
                "identifier": "Category"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast Protect/Analytic Rules/ContrastBlocks.yaml",
        "query": "let extract_data=(a:string, k:string) {\n  parse_urlquery(replace(@';', @'&', a))[\"Query Parameters\"][k]\n};\n\nCommonSecurityLog \n| where DeviceVendor == \"Contrast Security\"\n| where AdditionalExtensions contains \"BLOCKED\"\n| extend DeviceProduct\n| extend SourceIP\n| extend DeviceVersion\n| extend Activity\n| extend ApplicationProtocol\n| extend RequestURL\n| extend RequestMethod\n| extend Rule = extract_data(AdditionalExtensions, 'pri')\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration",
          "InitialAccess"
        ],
        "techniques": [
          "T1566"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}