Contrast ADR - Exploited Attack Event
| Id | ae4f67a6-0713-4a26-ae61-284e67b408c1 |
| Rulename | Contrast ADR - Exploited Attack Event |
| Description | Detects successful exploitation of security vulnerabilities across all environments as identified by Contrast ADR. This rule captures confirmed exploited attacks that bypassed application security controls and require security team investigation. |
| Severity | High |
| Tactics | InitialAccess Execution DefenseEvasion LateralMovement CommandAndControl |
| Techniques | T1190 T1059 T1055 T1210 T1008 |
| Required data connectors | ContrastADR |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event.yaml |
| Version | 1.0.0 |
| Arm template | ae4f67a6-0713-4a26-ae61-284e67b408c1.json |
ContrastADR_CL
| where result_s =~ "exploited"
kind: Scheduled
customDetails:
AttackResult: result_s
TargetHost: host_hostname_s
AttackedEndpoint: request_headers_referer_s
Environment: environment_s
AttackRule: rule_s
ApplicationName: application_name_s
alertDetailsOverride:
alertDisplayNameFormat: '{{result_s}} {{rule_s}} from {{SourceIP}} '
alertDescriptionFormat: '{{result_s}} on {{request_headers_referer_s}} endpoint of {{application_name_s}} '
entityMappings:
- entityType: IP
fieldMappings:
- columnName: SourceIP
identifier: Address
- entityType: Host
fieldMappings:
- columnName: host_hostname_s
identifier: HostName
description: |
'Detects successful exploitation of security vulnerabilities across all environments as identified by Contrast ADR. This rule captures confirmed exploited attacks that bypassed application security controls and require security team investigation.'
severity: High
queryFrequency: 5m
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
lookbackDuration: PT1H
matchingMethod: Selected
enabled: true
groupByEntities:
- IP
- Host
createIncident: true
triggerThreshold: 0
relevantTechniques:
- T1190
- T1059
- T1055
- T1210
- T1008
eventGroupingSettings:
aggregationKind: AlertPerResult
status: Available
tactics:
- InitialAccess
- Execution
- DefenseEvasion
- LateralMovement
- CommandAndControl
name: Contrast ADR - Exploited Attack Event
id: ae4f67a6-0713-4a26-ae61-284e67b408c1
query: |
ContrastADR_CL
| where result_s =~ "exploited"
requiredDataConnectors:
- dataTypes:
- ContrastADR_CL
connectorId: ContrastADR
version: 1.0.0
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event.yaml
queryPeriod: 5m
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ae4f67a6-0713-4a26-ae61-284e67b408c1')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ae4f67a6-0713-4a26-ae61-284e67b408c1')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{result_s}} on {{request_headers_referer_s}} endpoint of {{application_name_s}} ",
"alertDisplayNameFormat": "{{result_s}} {{rule_s}} from {{SourceIP}} "
},
"alertRuleTemplateName": "ae4f67a6-0713-4a26-ae61-284e67b408c1",
"customDetails": {
"ApplicationName": "application_name_s",
"AttackedEndpoint": "request_headers_referer_s",
"AttackResult": "result_s",
"AttackRule": "rule_s",
"Environment": "environment_s",
"TargetHost": "host_hostname_s"
},
"description": "'Detects successful exploitation of security vulnerabilities across all environments as identified by Contrast ADR. This rule captures confirmed exploited attacks that bypassed application security controls and require security team investigation.'\n",
"displayName": "Contrast ADR - Exploited Attack Event",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIP",
"identifier": "Address"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "host_hostname_s",
"identifier": "HostName"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"groupByEntities": [
"IP",
"Host"
],
"lookbackDuration": "PT1H",
"matchingMethod": "Selected",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event.yaml",
"query": "ContrastADR_CL\n| where result_s =~ \"exploited\"\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"DefenseEvasion",
"Execution",
"InitialAccess",
"LateralMovement"
],
"techniques": [
"T1008",
"T1055",
"T1059",
"T1190",
"T1210"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}