Contrast ADR - EDR Alert Correlation

Back


Id	c1c6ba64-134e-403b-b9a6-1bebc90809a4
Rulename	Contrast ADR - EDR Alert Correlation
Description	Correlates Contrast ADR incidents with specific high-risk attack patterns including command injection, deserialization attacks, and file upload vulnerabilities. This rule identifies confirmed security events that require immediate attention from security teams.
Severity	Medium
Tactics	Execution DefenseEvasion InitialAccess CommandAndControl
Techniques	T1059 T1055 T1190 T1008
Required data connectors	ContrastADR
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Confirmed_EDR.yaml
Version	1.0.0
Arm template	c1c6ba64-134e-403b-b9a6-1bebc90809a4.json

KQL

ContrastADRIncident_CL
| project-rename  incident_id_s = incidentId_s
| join kind=inner (ContrastADR_CL | where rule_s in~("class-loader-manipulation", "cmd-injection-semantic-chained-commands", "cmd-injection-semantic-dangerous-paths", "cmd-injection-command-backdoors", "cmd-injection-process-hardening", "cmd-injection", "expression-language-injection", "jndi-injection", "ssjs-injection", "unsafe-file-upload", "untrusted-deserialization","xxe")) on incident_id_s
| project-rename hostname_s = host_hostname_s
//Please add your EDR table name in place of ContrastWAFLogs_CL and hostname's column name in place of hostname_s below and uncomment the queries below
//| join kind = inner ( ContrastWAFLogs_CL
//| where TimeGenerated >= ago(5m)) on hostname_s

YAML

name: Contrast ADR - EDR Alert Correlation
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Confirmed_EDR.yaml
queryPeriod: 5m
version: 1.0.0
severity: Medium
id: c1c6ba64-134e-403b-b9a6-1bebc90809a4
triggerOperator: gt
triggerThreshold: 0
kind: Scheduled
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    groupByEntities:
    - Host
    lookbackDuration: PT1H
    enabled: true
    matchingMethod: Selected
requiredDataConnectors:
- dataTypes:
  - ContrastADRIncident_CL
  - ContrastADR_CL
  connectorId: ContrastADR
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1059
- T1055
- T1190
- T1008
description: |
    'Correlates Contrast ADR incidents with specific high-risk attack patterns including command injection, deserialization attacks, and file upload vulnerabilities. This rule identifies confirmed security events that require immediate attention from security teams.'
alertDetailsOverride:
  alertDescriptionFormat: EDR Alert Confirmed {{result_s}} by Contrast ADR on {{application_name_s}}
  alertDisplayNameFormat: EDR Alert Confirmed {{result_s}} by Contrast ADR on {{application_name_s}}
query: |
  ContrastADRIncident_CL
  | project-rename  incident_id_s = incidentId_s
  | join kind=inner (ContrastADR_CL | where rule_s in~("class-loader-manipulation", "cmd-injection-semantic-chained-commands", "cmd-injection-semantic-dangerous-paths", "cmd-injection-command-backdoors", "cmd-injection-process-hardening", "cmd-injection", "expression-language-injection", "jndi-injection", "ssjs-injection", "unsafe-file-upload", "untrusted-deserialization","xxe")) on incident_id_s
  | project-rename hostname_s = host_hostname_s
  //Please add your EDR table name in place of ContrastWAFLogs_CL and hostname's column name in place of hostname_s below and uncomment the queries below
  //| join kind = inner ( ContrastWAFLogs_CL
  //| where TimeGenerated >= ago(5m)) on hostname_s  
tactics:
- Execution
- DefenseEvasion
- InitialAccess
- CommandAndControl
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: host_hostname_s
    identifier: HostName
status: Available
queryFrequency: 5m

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c1c6ba64-134e-403b-b9a6-1bebc90809a4')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c1c6ba64-134e-403b-b9a6-1bebc90809a4')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "EDR Alert Confirmed {{result_s}} by Contrast ADR on {{application_name_s}}",
          "alertDisplayNameFormat": "EDR Alert Confirmed {{result_s}} by Contrast ADR on {{application_name_s}}"
        },
        "alertRuleTemplateName": "c1c6ba64-134e-403b-b9a6-1bebc90809a4",
        "customDetails": null,
        "description": "'Correlates Contrast ADR incidents with specific high-risk attack patterns including command injection, deserialization attacks, and file upload vulnerabilities. This rule identifies confirmed security events that require immediate attention from security teams.'\n",
        "displayName": "Contrast ADR - EDR Alert Correlation",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "host_hostname_s",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByEntities": [
              "Host"
            ],
            "lookbackDuration": "PT1H",
            "matchingMethod": "Selected",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Confirmed_EDR.yaml",
        "query": "ContrastADRIncident_CL\n| project-rename  incident_id_s = incidentId_s\n| join kind=inner (ContrastADR_CL | where rule_s in~(\"class-loader-manipulation\", \"cmd-injection-semantic-chained-commands\", \"cmd-injection-semantic-dangerous-paths\", \"cmd-injection-command-backdoors\", \"cmd-injection-process-hardening\", \"cmd-injection\", \"expression-language-injection\", \"jndi-injection\", \"ssjs-injection\", \"unsafe-file-upload\", \"untrusted-deserialization\",\"xxe\")) on incident_id_s\n| project-rename hostname_s = host_hostname_s\n//Please add your EDR table name in place of ContrastWAFLogs_CL and hostname's column name in place of hostname_s below and uncomment the queries below\n//| join kind = inner ( ContrastWAFLogs_CL\n//| where TimeGenerated >= ago(5m)) on hostname_s\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "DefenseEvasion",
          "Execution",
          "InitialAccess"
        ],
        "techniques": [
          "T1008",
          "T1055",
          "T1059",
          "T1190"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}