Contrast ADR - WAF Alert Correlation
| Id | 93641436-afb3-4921-8828-ceab0d15aaab |
| Rulename | Contrast ADR - WAF Alert Correlation |
| Description | Correlates Contrast ADR security alerts with WAF logs to identify confirmed attack attempts that were either exploited or blocked. This rule helps security teams prioritize incidents by focusing on attacks that have been validated by application security monitoring. |
| Severity | Medium |
| Tactics | InitialAccess DefenseEvasion CommandAndControl |
| Techniques | T1190 T1211 T1008 |
| Required data connectors | ContrastADR |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Confirmed_WAF.yaml |
| Version | 1.0.0 |
| Arm template | 93641436-afb3-4921-8828-ceab0d15aaab.json |
ContrastADR_CL
| where result_s =~ "exploited" or result_s =~ "blocked"
| project-rename ip_s=SourceIP
//please add you WAF table in place of ContrastWAFLogs_CL and WAF tables source IP or target IP column's inplace of ip_s and uncomment the queries below
//| join kind=inner (ContrastWAFLogs_CL | where TimeGenerated >= ago(5m)) on ip_s
triggerOperator: gt
description: |
'Correlates Contrast ADR security alerts with WAF logs to identify confirmed attack attempts that were either exploited or blocked. This rule helps security teams prioritize incidents by focusing on attacks that have been validated by application security monitoring.'
incidentConfiguration:
createIncident: true
groupingConfiguration:
reopenClosedIncident: false
enabled: true
lookbackDuration: PT1H
matchingMethod: Selected
status: Available
requiredDataConnectors:
- dataTypes:
- ContrastADR_CL
connectorId: ContrastADR
kind: Scheduled
eventGroupingSettings:
aggregationKind: AlertPerResult
queryFrequency: 5m
id: 93641436-afb3-4921-8828-ceab0d15aaab
query: |
ContrastADR_CL
| where result_s =~ "exploited" or result_s =~ "blocked"
| project-rename ip_s=SourceIP
//please add you WAF table in place of ContrastWAFLogs_CL and WAF tables source IP or target IP column's inplace of ip_s and uncomment the queries below
//| join kind=inner (ContrastWAFLogs_CL | where TimeGenerated >= ago(5m)) on ip_s
entityMappings:
- fieldMappings:
- identifier: Address
columnName: SourceIP
entityType: IP
name: Contrast ADR - WAF Alert Correlation
severity: Medium
alertDetailsOverride:
alertDisplayNameFormat: 'WAF Alert Confirmed {{result_s}} by Contrast ADR on {{request_headers_referer_s}} endpoint of {{application_name_s}} '
alertDescriptionFormat: 'WAF Alert Confirmed {{result_s}} by Contrast ADR on {{request_headers_referer_s}} endpoint of {{application_name_s}} '
queryPeriod: 5m
version: 1.0.0
relevantTechniques:
- T1190
- T1211
- T1008
triggerThreshold: 0
tactics:
- InitialAccess
- DefenseEvasion
- CommandAndControl
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Confirmed_WAF.yaml
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/93641436-afb3-4921-8828-ceab0d15aaab')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/93641436-afb3-4921-8828-ceab0d15aaab')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "WAF Alert Confirmed {{result_s}} by Contrast ADR on {{request_headers_referer_s}} endpoint of {{application_name_s}} ",
"alertDisplayNameFormat": "WAF Alert Confirmed {{result_s}} by Contrast ADR on {{request_headers_referer_s}} endpoint of {{application_name_s}} "
},
"alertRuleTemplateName": "93641436-afb3-4921-8828-ceab0d15aaab",
"customDetails": null,
"description": "'Correlates Contrast ADR security alerts with WAF logs to identify confirmed attack attempts that were either exploited or blocked. This rule helps security teams prioritize incidents by focusing on attacks that have been validated by application security monitoring.'\n",
"displayName": "Contrast ADR - WAF Alert Correlation",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIP",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"lookbackDuration": "PT1H",
"matchingMethod": "Selected",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Confirmed_WAF.yaml",
"query": "ContrastADR_CL\n| where result_s =~ \"exploited\" or result_s =~ \"blocked\"\n| project-rename ip_s=SourceIP\n//please add you WAF table in place of ContrastWAFLogs_CL and WAF tables source IP or target IP column's inplace of ip_s and uncomment the queries below\n//| join kind=inner (ContrastWAFLogs_CL | where TimeGenerated >= ago(5m)) on ip_s\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"DefenseEvasion",
"InitialAccess"
],
"techniques": [
"T1008",
"T1190",
"T1211"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}