Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Contrast ADR - EDR Alert Correlation

Back
Idc1c6ba64-134e-403b-b9a6-1bebc90809a4
RulenameContrast ADR - EDR Alert Correlation
DescriptionCorrelates Contrast ADR incidents with specific high-risk attack patterns including command injection, deserialization attacks, and file upload vulnerabilities. This rule identifies confirmed security events that require immediate attention from security teams.
SeverityMedium
TacticsExecution
DefenseEvasion
InitialAccess
CommandAndControl
TechniquesT1059
T1055
T1190
T1008
Required data connectorsContrastADR
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Confirmed_EDR.yaml
Version1.0.0
Arm templatec1c6ba64-134e-403b-b9a6-1bebc90809a4.json
Deploy To Azure
ContrastADRIncident_CL
| project-rename  incident_id_s = incidentId_s
| join kind=inner (ContrastADR_CL | where rule_s in~("class-loader-manipulation", "cmd-injection-semantic-chained-commands", "cmd-injection-semantic-dangerous-paths", "cmd-injection-command-backdoors", "cmd-injection-process-hardening", "cmd-injection", "expression-language-injection", "jndi-injection", "ssjs-injection", "unsafe-file-upload", "untrusted-deserialization","xxe")) on incident_id_s
| project-rename hostname_s = host_hostname_s
//Please add your EDR table name in place of ContrastWAFLogs_CL and hostname's column name in place of hostname_s below and uncomment the queries below
//| join kind = inner ( ContrastWAFLogs_CL
//| where TimeGenerated >= ago(5m)) on hostname_s
name: Contrast ADR - EDR Alert Correlation
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Confirmed_EDR.yaml
queryPeriod: 5m
version: 1.0.0
severity: Medium
id: c1c6ba64-134e-403b-b9a6-1bebc90809a4
triggerOperator: gt
triggerThreshold: 0
kind: Scheduled
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    groupByEntities:
    - Host
    lookbackDuration: PT1H
    enabled: true
    matchingMethod: Selected
requiredDataConnectors:
- dataTypes:
  - ContrastADRIncident_CL
  - ContrastADR_CL
  connectorId: ContrastADR
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1059
- T1055
- T1190
- T1008
description: |
    'Correlates Contrast ADR incidents with specific high-risk attack patterns including command injection, deserialization attacks, and file upload vulnerabilities. This rule identifies confirmed security events that require immediate attention from security teams.'
alertDetailsOverride:
  alertDescriptionFormat: EDR Alert Confirmed {{result_s}} by Contrast ADR on {{application_name_s}}
  alertDisplayNameFormat: EDR Alert Confirmed {{result_s}} by Contrast ADR on {{application_name_s}}
query: |
  ContrastADRIncident_CL
  | project-rename  incident_id_s = incidentId_s
  | join kind=inner (ContrastADR_CL | where rule_s in~("class-loader-manipulation", "cmd-injection-semantic-chained-commands", "cmd-injection-semantic-dangerous-paths", "cmd-injection-command-backdoors", "cmd-injection-process-hardening", "cmd-injection", "expression-language-injection", "jndi-injection", "ssjs-injection", "unsafe-file-upload", "untrusted-deserialization","xxe")) on incident_id_s
  | project-rename hostname_s = host_hostname_s
  //Please add your EDR table name in place of ContrastWAFLogs_CL and hostname's column name in place of hostname_s below and uncomment the queries below
  //| join kind = inner ( ContrastWAFLogs_CL
  //| where TimeGenerated >= ago(5m)) on hostname_s  
tactics:
- Execution
- DefenseEvasion
- InitialAccess
- CommandAndControl
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: host_hostname_s
    identifier: HostName
status: Available
queryFrequency: 5m
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c1c6ba64-134e-403b-b9a6-1bebc90809a4')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c1c6ba64-134e-403b-b9a6-1bebc90809a4')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "EDR Alert Confirmed {{result_s}} by Contrast ADR on {{application_name_s}}",
          "alertDisplayNameFormat": "EDR Alert Confirmed {{result_s}} by Contrast ADR on {{application_name_s}}"
        },
        "alertRuleTemplateName": "c1c6ba64-134e-403b-b9a6-1bebc90809a4",
        "customDetails": null,
        "description": "'Correlates Contrast ADR incidents with specific high-risk attack patterns including command injection, deserialization attacks, and file upload vulnerabilities. This rule identifies confirmed security events that require immediate attention from security teams.'\n",
        "displayName": "Contrast ADR - EDR Alert Correlation",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "host_hostname_s",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByEntities": [
              "Host"
            ],
            "lookbackDuration": "PT1H",
            "matchingMethod": "Selected",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Confirmed_EDR.yaml",
        "query": "ContrastADRIncident_CL\n| project-rename  incident_id_s = incidentId_s\n| join kind=inner (ContrastADR_CL | where rule_s in~(\"class-loader-manipulation\", \"cmd-injection-semantic-chained-commands\", \"cmd-injection-semantic-dangerous-paths\", \"cmd-injection-command-backdoors\", \"cmd-injection-process-hardening\", \"cmd-injection\", \"expression-language-injection\", \"jndi-injection\", \"ssjs-injection\", \"unsafe-file-upload\", \"untrusted-deserialization\",\"xxe\")) on incident_id_s\n| project-rename hostname_s = host_hostname_s\n//Please add your EDR table name in place of ContrastWAFLogs_CL and hostname's column name in place of hostname_s below and uncomment the queries below\n//| join kind = inner ( ContrastWAFLogs_CL\n//| where TimeGenerated >= ago(5m)) on hostname_s\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "DefenseEvasion",
          "Execution",
          "InitialAccess"
        ],
        "techniques": [
          "T1008",
          "T1055",
          "T1059",
          "T1190"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}