Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Contrast Blocks

Back
Id4396f8c3-d114-4154-9f4c-048ba522ed04
RulenameContrast Blocks
DescriptionCreates Incidents for Blocked events sourced from the Contrast Protect agent.
SeverityLow
TacticsInitialAccess
Exfiltration
TechniquesT1566
Required data connectorsContrastProtect
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast Protect/Analytic Rules/ContrastBlocks.yaml
Version1.0.0
Arm template4396f8c3-d114-4154-9f4c-048ba522ed04.json
Deploy To Azure
let extract_data=(a:string, k:string) {
  parse_urlquery(replace(@';', @'&', a))["Query Parameters"][k]
};

CommonSecurityLog 
| where DeviceVendor == "Contrast Security"
| where AdditionalExtensions contains "BLOCKED"
| extend DeviceProduct
| extend SourceIP
| extend DeviceVersion
| extend Activity
| extend ApplicationProtocol
| extend RequestURL
| extend RequestMethod
| extend Rule = extract_data(AdditionalExtensions, 'pri')
queryPeriod: 5m
version: 1.0.0
customDetails:
  Application: ApplicationProtocol
  Details: AdditionalExtensions
  Attack: Activity
  AgentVersion: DeviceVersion
  Agent: DeviceProduct
relevantTechniques:
- T1566
queryFrequency: 5m
kind: Scheduled
name: Contrast Blocks
id: 4396f8c3-d114-4154-9f4c-048ba522ed04
entityMappings:
- fieldMappings:
  - columnName: SourceIP
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: RequestURL
    identifier: Url
  entityType: URL
- fieldMappings:
  - columnName: ApplicationProtocol
    identifier: Name
  entityType: CloudApplication
- fieldMappings:
  - columnName: Activity
    identifier: Name
  - columnName: Rule
    identifier: Category
  entityType: Malware
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast Protect/Analytic Rules/ContrastBlocks.yaml
severity: Low
query: |
  let extract_data=(a:string, k:string) {
    parse_urlquery(replace(@';', @'&', a))["Query Parameters"][k]
  };

  CommonSecurityLog 
  | where DeviceVendor == "Contrast Security"
  | where AdditionalExtensions contains "BLOCKED"
  | extend DeviceProduct
  | extend SourceIP
  | extend DeviceVersion
  | extend Activity
  | extend ApplicationProtocol
  | extend RequestURL
  | extend RequestMethod
  | extend Rule = extract_data(AdditionalExtensions, 'pri')  
tactics:
- InitialAccess
- Exfiltration
description: |
    'Creates Incidents for Blocked events sourced from the Contrast Protect agent.'
requiredDataConnectors:
- connectorId: ContrastProtect
  dataTypes:
  - CommonSecurityLog
status: Available
triggerThreshold: 0
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4396f8c3-d114-4154-9f4c-048ba522ed04')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4396f8c3-d114-4154-9f4c-048ba522ed04')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Contrast Blocks",
        "description": "'Creates Incidents for Blocked events sourced from the Contrast Protect agent.'\n",
        "severity": "Low",
        "enabled": true,
        "query": "let extract_data=(a:string, k:string) {\n  parse_urlquery(replace(@';', @'&', a))[\"Query Parameters\"][k]\n};\n\nCommonSecurityLog \n| where DeviceVendor == \"Contrast Security\"\n| where AdditionalExtensions contains \"BLOCKED\"\n| extend DeviceProduct\n| extend SourceIP\n| extend DeviceVersion\n| extend Activity\n| extend ApplicationProtocol\n| extend RequestURL\n| extend RequestMethod\n| extend Rule = extract_data(AdditionalExtensions, 'pri')\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess",
          "Exfiltration"
        ],
        "techniques": [
          "T1566"
        ],
        "alertRuleTemplateName": "4396f8c3-d114-4154-9f4c-048ba522ed04",
        "customDetails": {
          "AgentVersion": "DeviceVersion",
          "Attack": "Activity",
          "Details": "AdditionalExtensions",
          "Application": "ApplicationProtocol",
          "Agent": "DeviceProduct"
        },
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "SourceIP"
              }
            ],
            "entityType": "IP"
          },
          {
            "fieldMappings": [
              {
                "identifier": "Url",
                "columnName": "RequestURL"
              }
            ],
            "entityType": "URL"
          },
          {
            "fieldMappings": [
              {
                "identifier": "Name",
                "columnName": "ApplicationProtocol"
              }
            ],
            "entityType": "CloudApplication"
          },
          {
            "fieldMappings": [
              {
                "identifier": "Name",
                "columnName": "Activity"
              },
              {
                "identifier": "Category",
                "columnName": "Rule"
              }
            ],
            "entityType": "Malware"
          }
        ],
        "status": "Available",
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast Protect/Analytic Rules/ContrastBlocks.yaml"
      }
    }
  ]
}