Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Contrast ADR - Exploited Attack Event

Back
Idae4f67a6-0713-4a26-ae61-284e67b408c1
RulenameContrast ADR - Exploited Attack Event
DescriptionDetects successful exploitation of security vulnerabilities across all environments as identified by Contrast ADR. This rule captures confirmed exploited attacks that bypassed application security controls and require security team investigation.
SeverityHigh
TacticsInitialAccess
Execution
DefenseEvasion
LateralMovement
CommandAndControl
TechniquesT1190
T1059
T1055
T1210
T1008
Required data connectorsContrastADR
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event.yaml
Version1.0.0
Arm templateae4f67a6-0713-4a26-ae61-284e67b408c1.json
Deploy To Azure
ContrastADR_CL
| where result_s =~ "exploited"
name: Contrast ADR - Exploited Attack Event
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event.yaml
queryPeriod: 5m
version: 1.0.0
severity: High
id: ae4f67a6-0713-4a26-ae61-284e67b408c1
triggerOperator: gt
triggerThreshold: 0
kind: Scheduled
eventGroupingSettings:
  aggregationKind: AlertPerResult
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    groupByEntities:
    - IP
    - Host
    lookbackDuration: PT1H
    enabled: true
    matchingMethod: Selected
requiredDataConnectors:
- dataTypes:
  - ContrastADR_CL
  connectorId: ContrastADR
customDetails:
  ApplicationName: application_name_s
  Environment: environment_s
  AttackRule: rule_s
  TargetHost: host_hostname_s
  AttackResult: result_s
  AttackedEndpoint: request_headers_referer_s
relevantTechniques:
- T1190
- T1059
- T1055
- T1210
- T1008
description: |
    'Detects successful exploitation of security vulnerabilities across all environments as identified by Contrast ADR. This rule captures confirmed exploited attacks that bypassed application security controls and require security team investigation.'
alertDetailsOverride:
  alertDescriptionFormat: '{{result_s}}  on {{request_headers_referer_s}}  endpoint of {{application_name_s}} '
  alertDisplayNameFormat: '{{result_s}} {{rule_s}} from {{SourceIP}} '
query: |
  ContrastADR_CL
  | where result_s =~ "exploited"  
tactics:
- InitialAccess
- Execution
- DefenseEvasion
- LateralMovement
- CommandAndControl
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SourceIP
    identifier: Address
- entityType: Host
  fieldMappings:
  - columnName: host_hostname_s
    identifier: HostName
status: Available
queryFrequency: 5m
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ae4f67a6-0713-4a26-ae61-284e67b408c1')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ae4f67a6-0713-4a26-ae61-284e67b408c1')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{result_s}}  on {{request_headers_referer_s}}  endpoint of {{application_name_s}} ",
          "alertDisplayNameFormat": "{{result_s}} {{rule_s}} from {{SourceIP}} "
        },
        "alertRuleTemplateName": "ae4f67a6-0713-4a26-ae61-284e67b408c1",
        "customDetails": {
          "ApplicationName": "application_name_s",
          "AttackedEndpoint": "request_headers_referer_s",
          "AttackResult": "result_s",
          "AttackRule": "rule_s",
          "Environment": "environment_s",
          "TargetHost": "host_hostname_s"
        },
        "description": "'Detects successful exploitation of security vulnerabilities across all environments as identified by Contrast ADR. This rule captures confirmed exploited attacks that bypassed application security controls and require security team investigation.'\n",
        "displayName": "Contrast ADR - Exploited Attack Event",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "host_hostname_s",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByEntities": [
              "IP",
              "Host"
            ],
            "lookbackDuration": "PT1H",
            "matchingMethod": "Selected",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event.yaml",
        "query": "ContrastADR_CL\n| where result_s =~ \"exploited\"\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "DefenseEvasion",
          "Execution",
          "InitialAccess",
          "LateralMovement"
        ],
        "techniques": [
          "T1008",
          "T1055",
          "T1059",
          "T1190",
          "T1210"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}