Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Contrast ADR - Security Incident Alert

Contrast ADR - Security Incident Alert

Back
Id7ce5956f-48f2-42f5-8e2e-c254e7643c11
RulenameContrast ADR - Security Incident Alert
DescriptionMonitors Contrast ADR security incidents across all applications and environments. This rule creates alerts for all security incidents detected by Contrast Security ADR, providing comprehensive visibility into application security events requiring investigation.
SeverityMedium
TacticsInitialAccess
DefenseEvasion
Discovery
CommandAndControl
TechniquesT1190
T1055
T1018
T1008
Required data connectorsContrastADR
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_Security_ADR_incident.yaml
Version1.0.0
Arm template7ce5956f-48f2-42f5-8e2e-c254e7643c11.json
Deploy To Azure
ContrastADRIncident_CL

triggerOperator: gt
description: |
    'Monitors Contrast ADR security incidents across all applications and environments. This rule creates alerts for all security incidents detected by Contrast Security ADR, providing comprehensive visibility into application security events requiring investigation.'
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: Selected
    reopenClosedIncident: false
    groupByCustomDetails:
    - IncidentId
    - ApplicationName
    enabled: true
    lookbackDuration: PT1H
status: Available
requiredDataConnectors:
- dataTypes:
  - ContrastADRIncident_CL
  connectorId: ContrastADR
kind: Scheduled
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 5m
id: 7ce5956f-48f2-42f5-8e2e-c254e7643c11
query: |
    ContrastADRIncident_CL
entityMappings:
- fieldMappings:
  - identifier: ObjectGuid
    columnName: incidentId_s
  entityType: SecurityGroup
name: Contrast ADR - Security Incident Alert
severity: Medium
alertDetailsOverride:
  alertDisplayNameFormat: '{{incidentName_s}}'
  alertDescriptionFormat: '{{summary_s}}'
queryPeriod: 5m
version: 1.0.0
relevantTechniques:
- T1190
- T1055
- T1018
- T1008
triggerThreshold: 0
tactics:
- InitialAccess
- DefenseEvasion
- Discovery
- CommandAndControl
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_Security_ADR_incident.yaml

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7ce5956f-48f2-42f5-8e2e-c254e7643c11')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7ce5956f-48f2-42f5-8e2e-c254e7643c11')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{summary_s}}",
          "alertDisplayNameFormat": "{{incidentName_s}}"
        },
        "alertRuleTemplateName": "7ce5956f-48f2-42f5-8e2e-c254e7643c11",
        "customDetails": null,
        "description": "'Monitors Contrast ADR security incidents across all applications and environments. This rule creates alerts for all security incidents detected by Contrast Security ADR, providing comprehensive visibility into application security events requiring investigation.'\n",
        "displayName": "Contrast ADR - Security Incident Alert",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "SecurityGroup",
            "fieldMappings": [
              {
                "columnName": "incidentId_s",
                "identifier": "ObjectGuid"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByCustomDetails": [
              "IncidentId",
              "ApplicationName"
            ],
            "lookbackDuration": "PT1H",
            "matchingMethod": "Selected",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_Security_ADR_incident.yaml",
        "query": "ContrastADRIncident_CL\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "DefenseEvasion",
          "Discovery",
          "InitialAccess"
        ],
        "techniques": [
          "T1008",
          "T1018",
          "T1055",
          "T1190"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}