Contrast ADR - Exploited Attack Event
| Id | ae4f67a6-0713-4a26-ae61-284e67b408c1 |
| Rulename | Contrast ADR - Exploited Attack Event |
| Description | Detects successful exploitation of security vulnerabilities across all environments as identified by Contrast ADR. This rule captures confirmed exploited attacks that bypassed application security controls and require security team investigation. |
| Severity | High |
| Tactics | InitialAccess Execution DefenseEvasion LateralMovement CommandAndControl |
| Techniques | T1190 T1059 T1055 T1210 T1008 |
| Required data connectors | ContrastADR |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event.yaml |
| Version | 1.0.0 |
| Arm template | ae4f67a6-0713-4a26-ae61-284e67b408c1.json |
ContrastADR_CL
| where result_s =~ "exploited"
name: Contrast ADR - Exploited Attack Event
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event.yaml
queryPeriod: 5m
version: 1.0.0
severity: High
id: ae4f67a6-0713-4a26-ae61-284e67b408c1
triggerOperator: gt
triggerThreshold: 0
kind: Scheduled
eventGroupingSettings:
aggregationKind: AlertPerResult
incidentConfiguration:
createIncident: true
groupingConfiguration:
reopenClosedIncident: false
groupByEntities:
- IP
- Host
lookbackDuration: PT1H
enabled: true
matchingMethod: Selected
requiredDataConnectors:
- dataTypes:
- ContrastADR_CL
connectorId: ContrastADR
customDetails:
ApplicationName: application_name_s
Environment: environment_s
AttackRule: rule_s
TargetHost: host_hostname_s
AttackResult: result_s
AttackedEndpoint: request_headers_referer_s
relevantTechniques:
- T1190
- T1059
- T1055
- T1210
- T1008
description: |
'Detects successful exploitation of security vulnerabilities across all environments as identified by Contrast ADR. This rule captures confirmed exploited attacks that bypassed application security controls and require security team investigation.'
alertDetailsOverride:
alertDescriptionFormat: '{{result_s}} on {{request_headers_referer_s}} endpoint of {{application_name_s}} '
alertDisplayNameFormat: '{{result_s}} {{rule_s}} from {{SourceIP}} '
query: |
ContrastADR_CL
| where result_s =~ "exploited"
tactics:
- InitialAccess
- Execution
- DefenseEvasion
- LateralMovement
- CommandAndControl
entityMappings:
- entityType: IP
fieldMappings:
- columnName: SourceIP
identifier: Address
- entityType: Host
fieldMappings:
- columnName: host_hostname_s
identifier: HostName
status: Available
queryFrequency: 5m
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ae4f67a6-0713-4a26-ae61-284e67b408c1')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ae4f67a6-0713-4a26-ae61-284e67b408c1')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{result_s}} on {{request_headers_referer_s}} endpoint of {{application_name_s}} ",
"alertDisplayNameFormat": "{{result_s}} {{rule_s}} from {{SourceIP}} "
},
"alertRuleTemplateName": "ae4f67a6-0713-4a26-ae61-284e67b408c1",
"customDetails": {
"ApplicationName": "application_name_s",
"AttackedEndpoint": "request_headers_referer_s",
"AttackResult": "result_s",
"AttackRule": "rule_s",
"Environment": "environment_s",
"TargetHost": "host_hostname_s"
},
"description": "'Detects successful exploitation of security vulnerabilities across all environments as identified by Contrast ADR. This rule captures confirmed exploited attacks that bypassed application security controls and require security team investigation.'\n",
"displayName": "Contrast ADR - Exploited Attack Event",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIP",
"identifier": "Address"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "host_hostname_s",
"identifier": "HostName"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"groupByEntities": [
"IP",
"Host"
],
"lookbackDuration": "PT1H",
"matchingMethod": "Selected",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event.yaml",
"query": "ContrastADR_CL\n| where result_s =~ \"exploited\"\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"DefenseEvasion",
"Execution",
"InitialAccess",
"LateralMovement"
],
"techniques": [
"T1008",
"T1055",
"T1059",
"T1190",
"T1210"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}