Contrast ADR - Security Incident Alert
Id | 7ce5956f-48f2-42f5-8e2e-c254e7643c11 |
Rulename | Contrast ADR - Security Incident Alert |
Description | Monitors Contrast ADR security incidents across all applications and environments. This rule creates alerts for all security incidents detected by Contrast Security ADR, providing comprehensive visibility into application security events requiring investigation. |
Severity | Medium |
Tactics | InitialAccess DefenseEvasion Discovery CommandAndControl |
Techniques | T1190 T1055 T1018 T1008 |
Required data connectors | ContrastADR |
Kind | Scheduled |
Query frequency | 5m |
Query period | 5m |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_Security_ADR_incident.yaml |
Version | 1.0.0 |
Arm template | 7ce5956f-48f2-42f5-8e2e-c254e7643c11.json |
ContrastADRIncident_CL
name: Contrast ADR - Security Incident Alert
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_Security_ADR_incident.yaml
queryPeriod: 5m
version: 1.0.0
severity: Medium
id: 7ce5956f-48f2-42f5-8e2e-c254e7643c11
triggerOperator: gt
triggerThreshold: 0
kind: Scheduled
incidentConfiguration:
createIncident: true
groupingConfiguration:
groupByCustomDetails:
- IncidentId
- ApplicationName
lookbackDuration: PT1H
reopenClosedIncident: false
enabled: true
matchingMethod: Selected
requiredDataConnectors:
- dataTypes:
- ContrastADRIncident_CL
connectorId: ContrastADR
eventGroupingSettings:
aggregationKind: AlertPerResult
relevantTechniques:
- T1190
- T1055
- T1018
- T1008
description: |
'Monitors Contrast ADR security incidents across all applications and environments. This rule creates alerts for all security incidents detected by Contrast Security ADR, providing comprehensive visibility into application security events requiring investigation.'
alertDetailsOverride:
alertDescriptionFormat: '{{summary_s}}'
alertDisplayNameFormat: '{{incidentName_s}}'
query: |
ContrastADRIncident_CL
tactics:
- InitialAccess
- DefenseEvasion
- Discovery
- CommandAndControl
entityMappings:
- entityType: SecurityGroup
fieldMappings:
- columnName: incidentId_s
identifier: ObjectGuid
status: Available
queryFrequency: 5m
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7ce5956f-48f2-42f5-8e2e-c254e7643c11')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7ce5956f-48f2-42f5-8e2e-c254e7643c11')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{summary_s}}",
"alertDisplayNameFormat": "{{incidentName_s}}"
},
"alertRuleTemplateName": "7ce5956f-48f2-42f5-8e2e-c254e7643c11",
"customDetails": null,
"description": "'Monitors Contrast ADR security incidents across all applications and environments. This rule creates alerts for all security incidents detected by Contrast Security ADR, providing comprehensive visibility into application security events requiring investigation.'\n",
"displayName": "Contrast ADR - Security Incident Alert",
"enabled": true,
"entityMappings": [
{
"entityType": "SecurityGroup",
"fieldMappings": [
{
"columnName": "incidentId_s",
"identifier": "ObjectGuid"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"groupByCustomDetails": [
"IncidentId",
"ApplicationName"
],
"lookbackDuration": "PT1H",
"matchingMethod": "Selected",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_Security_ADR_incident.yaml",
"query": "ContrastADRIncident_CL\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"DefenseEvasion",
"Discovery",
"InitialAccess"
],
"techniques": [
"T1008",
"T1018",
"T1055",
"T1190"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}