Contrast ADR - Security Incident Alert
| Id | 7ce5956f-48f2-42f5-8e2e-c254e7643c11 |
| Rulename | Contrast ADR - Security Incident Alert |
| Description | Monitors Contrast ADR security incidents across all applications and environments. This rule creates alerts for all security incidents detected by Contrast Security ADR, providing comprehensive visibility into application security events requiring investigation. |
| Severity | Medium |
| Tactics | InitialAccess DefenseEvasion Discovery CommandAndControl |
| Techniques | T1190 T1055 T1018 T1008 |
| Required data connectors | ContrastADR |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_Security_ADR_incident.yaml |
| Version | 1.0.0 |
| Arm template | 7ce5956f-48f2-42f5-8e2e-c254e7643c11.json |
ContrastADRIncident_CL
kind: Scheduled
eventGroupingSettings:
aggregationKind: AlertPerResult
alertDetailsOverride:
alertDisplayNameFormat: '{{incidentName_s}}'
alertDescriptionFormat: '{{summary_s}}'
entityMappings:
- entityType: SecurityGroup
fieldMappings:
- columnName: incidentId_s
identifier: ObjectGuid
description: |
'Monitors Contrast ADR security incidents across all applications and environments. This rule creates alerts for all security incidents detected by Contrast Security ADR, providing comprehensive visibility into application security events requiring investigation.'
severity: Medium
queryFrequency: 5m
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
lookbackDuration: PT1H
matchingMethod: Selected
groupByCustomDetails:
- IncidentId
- ApplicationName
enabled: true
createIncident: true
triggerThreshold: 0
relevantTechniques:
- T1190
- T1055
- T1018
- T1008
status: Available
tactics:
- InitialAccess
- DefenseEvasion
- Discovery
- CommandAndControl
name: Contrast ADR - Security Incident Alert
id: 7ce5956f-48f2-42f5-8e2e-c254e7643c11
query: |
ContrastADRIncident_CL
requiredDataConnectors:
- dataTypes:
- ContrastADRIncident_CL
connectorId: ContrastADR
version: 1.0.0
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_Security_ADR_incident.yaml
queryPeriod: 5m
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7ce5956f-48f2-42f5-8e2e-c254e7643c11')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7ce5956f-48f2-42f5-8e2e-c254e7643c11')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{summary_s}}",
"alertDisplayNameFormat": "{{incidentName_s}}"
},
"alertRuleTemplateName": "7ce5956f-48f2-42f5-8e2e-c254e7643c11",
"customDetails": null,
"description": "'Monitors Contrast ADR security incidents across all applications and environments. This rule creates alerts for all security incidents detected by Contrast Security ADR, providing comprehensive visibility into application security events requiring investigation.'\n",
"displayName": "Contrast ADR - Security Incident Alert",
"enabled": true,
"entityMappings": [
{
"entityType": "SecurityGroup",
"fieldMappings": [
{
"columnName": "incidentId_s",
"identifier": "ObjectGuid"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"groupByCustomDetails": [
"IncidentId",
"ApplicationName"
],
"lookbackDuration": "PT1H",
"matchingMethod": "Selected",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_Security_ADR_incident.yaml",
"query": "ContrastADRIncident_CL\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"DefenseEvasion",
"Discovery",
"InitialAccess"
],
"techniques": [
"T1008",
"T1018",
"T1055",
"T1190"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}