Contrast ADR - EDR Alert Correlation
| Id | c1c6ba64-134e-403b-b9a6-1bebc90809a4 |
| Rulename | Contrast ADR - EDR Alert Correlation |
| Description | Correlates Contrast ADR incidents with specific high-risk attack patterns including command injection, deserialization attacks, and file upload vulnerabilities. This rule identifies confirmed security events that require immediate attention from security teams. |
| Severity | Medium |
| Tactics | Execution DefenseEvasion InitialAccess CommandAndControl |
| Techniques | T1059 T1055 T1190 T1008 |
| Required data connectors | ContrastADR |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Confirmed_EDR.yaml |
| Version | 1.0.0 |
| Arm template | c1c6ba64-134e-403b-b9a6-1bebc90809a4.json |
ContrastADRIncident_CL
| project-rename incident_id_s = incidentId_s
| join kind=inner (ContrastADR_CL | where rule_s in~("class-loader-manipulation", "cmd-injection-semantic-chained-commands", "cmd-injection-semantic-dangerous-paths", "cmd-injection-command-backdoors", "cmd-injection-process-hardening", "cmd-injection", "expression-language-injection", "jndi-injection", "ssjs-injection", "unsafe-file-upload", "untrusted-deserialization","xxe")) on incident_id_s
| project-rename hostname_s = host_hostname_s
//Please add your EDR table name in place of ContrastWAFLogs_CL and hostname's column name in place of hostname_s below and uncomment the queries below
//| join kind = inner ( ContrastWAFLogs_CL
//| where TimeGenerated >= ago(5m)) on hostname_s
description: |
'Correlates Contrast ADR incidents with specific high-risk attack patterns including command injection, deserialization attacks, and file upload vulnerabilities. This rule identifies confirmed security events that require immediate attention from security teams.'
version: 1.0.0
triggerThreshold: 0
tactics:
- Execution
- DefenseEvasion
- InitialAccess
- CommandAndControl
queryPeriod: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Confirmed_EDR.yaml
triggerOperator: gt
status: Available
alertDetailsOverride:
alertDisplayNameFormat: EDR Alert Confirmed {{result_s}} by Contrast ADR on {{application_name_s}}
alertDescriptionFormat: EDR Alert Confirmed {{result_s}} by Contrast ADR on {{application_name_s}}
eventGroupingSettings:
aggregationKind: AlertPerResult
id: c1c6ba64-134e-403b-b9a6-1bebc90809a4
name: Contrast ADR - EDR Alert Correlation
queryFrequency: 5m
severity: Medium
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
groupByEntities:
- Host
reopenClosedIncident: false
matchingMethod: Selected
lookbackDuration: PT1H
kind: Scheduled
entityMappings:
- fieldMappings:
- columnName: host_hostname_s
identifier: HostName
entityType: Host
relevantTechniques:
- T1059
- T1055
- T1190
- T1008
query: |
ContrastADRIncident_CL
| project-rename incident_id_s = incidentId_s
| join kind=inner (ContrastADR_CL | where rule_s in~("class-loader-manipulation", "cmd-injection-semantic-chained-commands", "cmd-injection-semantic-dangerous-paths", "cmd-injection-command-backdoors", "cmd-injection-process-hardening", "cmd-injection", "expression-language-injection", "jndi-injection", "ssjs-injection", "unsafe-file-upload", "untrusted-deserialization","xxe")) on incident_id_s
| project-rename hostname_s = host_hostname_s
//Please add your EDR table name in place of ContrastWAFLogs_CL and hostname's column name in place of hostname_s below and uncomment the queries below
//| join kind = inner ( ContrastWAFLogs_CL
//| where TimeGenerated >= ago(5m)) on hostname_s
requiredDataConnectors:
- dataTypes:
- ContrastADRIncident_CL
- ContrastADR_CL
connectorId: ContrastADR