Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Contrast Blocks

Contrast Blocks

Back
Id4396f8c3-d114-4154-9f4c-048ba522ed04
RulenameContrast Blocks
DescriptionCreates Incidents for Blocked events sourced from the Contrast Protect agent.
SeverityLow
TacticsInitialAccess
Exfiltration
TechniquesT1566
Required data connectorsCefAma
ContrastProtect
ContrastProtectAma
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast Protect/Analytic Rules/ContrastBlocks.yaml
Version1.0.2
Arm template4396f8c3-d114-4154-9f4c-048ba522ed04.json
Deploy To Azure
let extract_data=(a:string, k:string) {
  parse_urlquery(replace(@';', @'&', a))["Query Parameters"][k]
};

CommonSecurityLog 
| where DeviceVendor == "Contrast Security"
| where AdditionalExtensions contains "BLOCKED"
| extend DeviceProduct
| extend SourceIP
| extend DeviceVersion
| extend Activity
| extend ApplicationProtocol
| extend RequestURL
| extend RequestMethod
| extend Rule = extract_data(AdditionalExtensions, 'pri')

id: 4396f8c3-d114-4154-9f4c-048ba522ed04
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast Protect/Analytic Rules/ContrastBlocks.yaml
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: SourceIP
  entityType: IP
- fieldMappings:
  - identifier: Url
    columnName: RequestURL
  entityType: URL
- fieldMappings:
  - identifier: Name
    columnName: ApplicationProtocol
  entityType: CloudApplication
- fieldMappings:
  - identifier: Name
    columnName: Activity
  - identifier: Category
    columnName: Rule
  entityType: Malware
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: ContrastProtect
- dataTypes:
  - CommonSecurityLog
  connectorId: ContrastProtectAma
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma
queryFrequency: 5m
queryPeriod: 5m
status: Available
query: |
  let extract_data=(a:string, k:string) {
    parse_urlquery(replace(@';', @'&', a))["Query Parameters"][k]
  };

  CommonSecurityLog 
  | where DeviceVendor == "Contrast Security"
  | where AdditionalExtensions contains "BLOCKED"
  | extend DeviceProduct
  | extend SourceIP
  | extend DeviceVersion
  | extend Activity
  | extend ApplicationProtocol
  | extend RequestURL
  | extend RequestMethod
  | extend Rule = extract_data(AdditionalExtensions, 'pri')  
name: Contrast Blocks
kind: Scheduled
tactics:
- InitialAccess
- Exfiltration
severity: Low
relevantTechniques:
- T1566
triggerThreshold: 0
version: 1.0.2
description: |
    'Creates Incidents for Blocked events sourced from the Contrast Protect agent.'
customDetails:
  Attack: Activity
  Details: AdditionalExtensions
  Agent: DeviceProduct
  AgentVersion: DeviceVersion
  Application: ApplicationProtocol