Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Contrast ADR - Exploited Attack Event

Contrast ADR - Exploited Attack Event

Back
Idae4f67a6-0713-4a26-ae61-284e67b408c1
RulenameContrast ADR - Exploited Attack Event
DescriptionDetects successful exploitation of security vulnerabilities across all environments as identified by Contrast ADR. This rule captures confirmed exploited attacks that bypassed application security controls and require security team investigation.
SeverityHigh
TacticsInitialAccess
Execution
DefenseEvasion
LateralMovement
CommandAndControl
TechniquesT1190
T1059
T1055
T1210
T1008
Required data connectorsContrastADRCCF
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event.yaml
Version1.0.1
Arm templateae4f67a6-0713-4a26-ae61-284e67b408c1.json
Deploy To Azure
ContrastADRAttackEvents_CL
| where result =~ "exploited"

entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: sourceIp
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: host_hostname
tactics:
- InitialAccess
- Execution
- DefenseEvasion
- LateralMovement
- CommandAndControl
requiredDataConnectors:
- dataTypes:
  - ContrastADRAttackEvents_CL
  connectorId: ContrastADRCCF
alertDetailsOverride:
  alertDisplayNameFormat: '{{result}} {{rule}} from {{sourceIp}} '
  alertDescriptionFormat: '{{result}}  on {{request_headers_referer}}  endpoint of {{application_name}} '
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: PT1H
    groupByEntities:
    - IP
    - Host
    enabled: true
    matchingMethod: Selected
  createIncident: true
id: ae4f67a6-0713-4a26-ae61-284e67b408c1
severity: High
eventGroupingSettings:
  aggregationKind: AlertPerResult
status: Available
customDetails:
  AttackRule: rule
  AttackResult: result
  ApplicationName: application_name
  AttackedEndpoint: request_headers_referer
  Environment: environment
  TargetHost: host_hostname
query: |
  ContrastADRAttackEvents_CL
  | where result =~ "exploited"  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event.yaml
kind: Scheduled
queryPeriod: 5m
version: 1.0.1
name: Contrast ADR - Exploited Attack Event
queryFrequency: 5m
triggerThreshold: 0
relevantTechniques:
- T1190
- T1059
- T1055
- T1210
- T1008
description: |
    'Detects successful exploitation of security vulnerabilities across all environments as identified by Contrast ADR. This rule captures confirmed exploited attacks that bypassed application security controls and require security team investigation.'
triggerOperator: gt