Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Contrast ADR - EDR Alert Correlation

Back
Idc1c6ba64-134e-403b-b9a6-1bebc90809a4
RulenameContrast ADR - EDR Alert Correlation
DescriptionCorrelates Contrast ADR incidents with specific high-risk attack patterns including command injection, deserialization attacks, and file upload vulnerabilities. This rule identifies confirmed security events that require immediate attention from security teams.
SeverityMedium
TacticsExecution
DefenseEvasion
InitialAccess
CommandAndControl
TechniquesT1059
T1055
T1190
T1008
Required data connectorsContrastADR
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Confirmed_EDR.yaml
Version1.0.0
Arm templatec1c6ba64-134e-403b-b9a6-1bebc90809a4.json
Deploy To Azure
ContrastADRIncident_CL
| project-rename  incident_id_s = incidentId_s
| join kind=inner (ContrastADR_CL | where rule_s in~("class-loader-manipulation", "cmd-injection-semantic-chained-commands", "cmd-injection-semantic-dangerous-paths", "cmd-injection-command-backdoors", "cmd-injection-process-hardening", "cmd-injection", "expression-language-injection", "jndi-injection", "ssjs-injection", "unsafe-file-upload", "untrusted-deserialization","xxe")) on incident_id_s
| project-rename hostname_s = host_hostname_s
//Please add your EDR table name in place of ContrastWAFLogs_CL and hostname's column name in place of hostname_s below and uncomment the queries below
//| join kind = inner ( ContrastWAFLogs_CL
//| where TimeGenerated >= ago(5m)) on hostname_s
kind: Scheduled
eventGroupingSettings:
  aggregationKind: AlertPerResult
alertDetailsOverride:
  alertDisplayNameFormat: EDR Alert Confirmed {{result_s}} by Contrast ADR on {{application_name_s}}
  alertDescriptionFormat: EDR Alert Confirmed {{result_s}} by Contrast ADR on {{application_name_s}}
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: host_hostname_s
    identifier: HostName
description: |
    'Correlates Contrast ADR incidents with specific high-risk attack patterns including command injection, deserialization attacks, and file upload vulnerabilities. This rule identifies confirmed security events that require immediate attention from security teams.'
severity: Medium
queryFrequency: 5m
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: PT1H
    matchingMethod: Selected
    enabled: true
    groupByEntities:
    - Host
  createIncident: true
triggerThreshold: 0
relevantTechniques:
- T1059
- T1055
- T1190
- T1008
status: Available
tactics:
- Execution
- DefenseEvasion
- InitialAccess
- CommandAndControl
name: Contrast ADR - EDR Alert Correlation
id: c1c6ba64-134e-403b-b9a6-1bebc90809a4
query: |
  ContrastADRIncident_CL
  | project-rename  incident_id_s = incidentId_s
  | join kind=inner (ContrastADR_CL | where rule_s in~("class-loader-manipulation", "cmd-injection-semantic-chained-commands", "cmd-injection-semantic-dangerous-paths", "cmd-injection-command-backdoors", "cmd-injection-process-hardening", "cmd-injection", "expression-language-injection", "jndi-injection", "ssjs-injection", "unsafe-file-upload", "untrusted-deserialization","xxe")) on incident_id_s
  | project-rename hostname_s = host_hostname_s
  //Please add your EDR table name in place of ContrastWAFLogs_CL and hostname's column name in place of hostname_s below and uncomment the queries below
  //| join kind = inner ( ContrastWAFLogs_CL
  //| where TimeGenerated >= ago(5m)) on hostname_s  
requiredDataConnectors:
- dataTypes:
  - ContrastADRIncident_CL
  - ContrastADR_CL
  connectorId: ContrastADR
version: 1.0.0
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Confirmed_EDR.yaml
queryPeriod: 5m
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c1c6ba64-134e-403b-b9a6-1bebc90809a4')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c1c6ba64-134e-403b-b9a6-1bebc90809a4')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "EDR Alert Confirmed {{result_s}} by Contrast ADR on {{application_name_s}}",
          "alertDisplayNameFormat": "EDR Alert Confirmed {{result_s}} by Contrast ADR on {{application_name_s}}"
        },
        "alertRuleTemplateName": "c1c6ba64-134e-403b-b9a6-1bebc90809a4",
        "customDetails": null,
        "description": "'Correlates Contrast ADR incidents with specific high-risk attack patterns including command injection, deserialization attacks, and file upload vulnerabilities. This rule identifies confirmed security events that require immediate attention from security teams.'\n",
        "displayName": "Contrast ADR - EDR Alert Correlation",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "host_hostname_s",
                "identifier": "HostName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByEntities": [
              "Host"
            ],
            "lookbackDuration": "PT1H",
            "matchingMethod": "Selected",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Confirmed_EDR.yaml",
        "query": "ContrastADRIncident_CL\n| project-rename  incident_id_s = incidentId_s\n| join kind=inner (ContrastADR_CL | where rule_s in~(\"class-loader-manipulation\", \"cmd-injection-semantic-chained-commands\", \"cmd-injection-semantic-dangerous-paths\", \"cmd-injection-command-backdoors\", \"cmd-injection-process-hardening\", \"cmd-injection\", \"expression-language-injection\", \"jndi-injection\", \"ssjs-injection\", \"unsafe-file-upload\", \"untrusted-deserialization\",\"xxe\")) on incident_id_s\n| project-rename hostname_s = host_hostname_s\n//Please add your EDR table name in place of ContrastWAFLogs_CL and hostname's column name in place of hostname_s below and uncomment the queries below\n//| join kind = inner ( ContrastWAFLogs_CL\n//| where TimeGenerated >= ago(5m)) on hostname_s\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "DefenseEvasion",
          "Execution",
          "InitialAccess"
        ],
        "techniques": [
          "T1008",
          "T1055",
          "T1059",
          "T1190"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}