Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Contrast ADR - WAF Alert Correlation

Back
Id93641436-afb3-4921-8828-ceab0d15aaab
RulenameContrast ADR - WAF Alert Correlation
DescriptionCorrelates Contrast ADR security alerts with WAF logs to identify confirmed attack attempts that were either exploited or blocked. This rule helps security teams prioritize incidents by focusing on attacks that have been validated by application security monitoring.
SeverityMedium
TacticsInitialAccess
DefenseEvasion
CommandAndControl
TechniquesT1190
T1211
T1008
Required data connectorsContrastADR
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Confirmed_WAF.yaml
Version1.0.0
Arm template93641436-afb3-4921-8828-ceab0d15aaab.json
Deploy To Azure
ContrastADR_CL
| where result_s =~ "exploited" or result_s =~ "blocked"
| project-rename ip_s=SourceIP
//please add you WAF table in place of ContrastWAFLogs_CL and WAF tables source IP or target IP column's inplace of ip_s and uncomment the queries below
//| join kind=inner (ContrastWAFLogs_CL | where TimeGenerated >= ago(5m)) on ip_s
kind: Scheduled
eventGroupingSettings:
  aggregationKind: AlertPerResult
alertDetailsOverride:
  alertDisplayNameFormat: 'WAF Alert Confirmed {{result_s}}  by Contrast ADR on {{request_headers_referer_s}}  endpoint of {{application_name_s}} '
  alertDescriptionFormat: 'WAF Alert Confirmed {{result_s}}  by Contrast ADR on {{request_headers_referer_s}}  endpoint of {{application_name_s}} '
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SourceIP
    identifier: Address
description: |
    'Correlates Contrast ADR security alerts with WAF logs to identify confirmed attack attempts that were either exploited or blocked. This rule helps security teams prioritize incidents by focusing on attacks that have been validated by application security monitoring.'
severity: Medium
queryFrequency: 5m
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: Selected
    lookbackDuration: PT1H
    enabled: true
  createIncident: true
triggerThreshold: 0
relevantTechniques:
- T1190
- T1211
- T1008
status: Available
tactics:
- InitialAccess
- DefenseEvasion
- CommandAndControl
name: Contrast ADR - WAF Alert Correlation
id: 93641436-afb3-4921-8828-ceab0d15aaab
query: |
  ContrastADR_CL
  | where result_s =~ "exploited" or result_s =~ "blocked"
  | project-rename ip_s=SourceIP
  //please add you WAF table in place of ContrastWAFLogs_CL and WAF tables source IP or target IP column's inplace of ip_s and uncomment the queries below
  //| join kind=inner (ContrastWAFLogs_CL | where TimeGenerated >= ago(5m)) on ip_s  
requiredDataConnectors:
- dataTypes:
  - ContrastADR_CL
  connectorId: ContrastADR
version: 1.0.0
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Confirmed_WAF.yaml
queryPeriod: 5m
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/93641436-afb3-4921-8828-ceab0d15aaab')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/93641436-afb3-4921-8828-ceab0d15aaab')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "WAF Alert Confirmed {{result_s}}  by Contrast ADR on {{request_headers_referer_s}}  endpoint of {{application_name_s}} ",
          "alertDisplayNameFormat": "WAF Alert Confirmed {{result_s}}  by Contrast ADR on {{request_headers_referer_s}}  endpoint of {{application_name_s}} "
        },
        "alertRuleTemplateName": "93641436-afb3-4921-8828-ceab0d15aaab",
        "customDetails": null,
        "description": "'Correlates Contrast ADR security alerts with WAF logs to identify confirmed attack attempts that were either exploited or blocked. This rule helps security teams prioritize incidents by focusing on attacks that have been validated by application security monitoring.'\n",
        "displayName": "Contrast ADR - WAF Alert Correlation",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "PT1H",
            "matchingMethod": "Selected",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Confirmed_WAF.yaml",
        "query": "ContrastADR_CL\n| where result_s =~ \"exploited\" or result_s =~ \"blocked\"\n| project-rename ip_s=SourceIP\n//please add you WAF table in place of ContrastWAFLogs_CL and WAF tables source IP or target IP column's inplace of ip_s and uncomment the queries below\n//| join kind=inner (ContrastWAFLogs_CL | where TimeGenerated >= ago(5m)) on ip_s\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "DefenseEvasion",
          "InitialAccess"
        ],
        "techniques": [
          "T1008",
          "T1190",
          "T1211"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}