Contrast ADR - Exploited Attack Event

ContrastADR_CL
| where result_s =~ "exploited"

triggerOperator: gt
description: |
    'Detects successful exploitation of security vulnerabilities across all environments as identified by Contrast ADR. This rule captures confirmed exploited attacks that bypassed application security controls and require security team investigation.'
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    groupByEntities:
    - IP
    - Host
    matchingMethod: Selected
    reopenClosedIncident: false
    enabled: true
    lookbackDuration: PT1H
status: Available
requiredDataConnectors:
- dataTypes:
  - ContrastADR_CL
  connectorId: ContrastADR
kind: Scheduled
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 5m
id: ae4f67a6-0713-4a26-ae61-284e67b408c1
query: |
  ContrastADR_CL
  | where result_s =~ "exploited"  
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: SourceIP
  entityType: IP
- fieldMappings:
  - identifier: HostName
    columnName: host_hostname_s
  entityType: Host
name: Contrast ADR - Exploited Attack Event
severity: High
alertDetailsOverride:
  alertDisplayNameFormat: '{{result_s}} {{rule_s}} from {{SourceIP}} '
  alertDescriptionFormat: '{{result_s}}  on {{request_headers_referer_s}}  endpoint of {{application_name_s}} '
queryPeriod: 5m
version: 1.0.0
relevantTechniques:
- T1190
- T1059
- T1055
- T1210
- T1008
triggerThreshold: 0
tactics:
- InitialAccess
- Execution
- DefenseEvasion
- LateralMovement
- CommandAndControl
customDetails:
  AttackResult: result_s
  TargetHost: host_hostname_s
  AttackedEndpoint: request_headers_referer_s
  ApplicationName: application_name_s
  Environment: environment_s
  AttackRule: rule_s
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event.yaml

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ae4f67a6-0713-4a26-ae61-284e67b408c1')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ae4f67a6-0713-4a26-ae61-284e67b408c1')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{result_s}}  on {{request_headers_referer_s}}  endpoint of {{application_name_s}} ",
          "alertDisplayNameFormat": "{{result_s}} {{rule_s}} from {{SourceIP}} "
        },
        "alertRuleTemplateName": "ae4f67a6-0713-4a26-ae61-284e67b408c1",
        "customDetails": {
          "ApplicationName": "application_name_s",
          "AttackedEndpoint": "request_headers_referer_s",
          "AttackResult": "result_s",
          "AttackRule": "rule_s",
          "Environment": "environment_s",
          "TargetHost": "host_hostname_s"
        },
        "description": "'Detects successful exploitation of security vulnerabilities across all environments as identified by Contrast ADR. This rule captures confirmed exploited attacks that bypassed application security controls and require security team investigation.'\n",
        "displayName": "Contrast ADR - Exploited Attack Event",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "host_hostname_s",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByEntities": [
              "IP",
              "Host"
            ],
            "lookbackDuration": "PT1H",
            "matchingMethod": "Selected",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event.yaml",
        "query": "ContrastADR_CL\n| where result_s =~ \"exploited\"\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "DefenseEvasion",
          "Execution",
          "InitialAccess",
          "LateralMovement"
        ],
        "techniques": [
          "T1008",
          "T1055",
          "T1059",
          "T1190",
          "T1210"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}