Contrast ADR - EDR Alert Correlation
| Id | c1c6ba64-134e-403b-b9a6-1bebc90809a4 |
| Rulename | Contrast ADR - EDR Alert Correlation |
| Description | Correlates Contrast ADR incidents with specific high-risk attack patterns including command injection, deserialization attacks, and file upload vulnerabilities. This rule identifies confirmed security events that require immediate attention from security teams. |
| Severity | Medium |
| Tactics | Execution DefenseEvasion InitialAccess CommandAndControl |
| Techniques | T1059 T1055 T1190 T1008 |
| Required data connectors | ContrastADR |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Confirmed_EDR.yaml |
| Version | 1.0.1 |
| Arm template | c1c6ba64-134e-403b-b9a6-1bebc90809a4.json |
ContrastADRIncident_CL
| join kind=inner (ContrastADR_CL | where rule_s in~("class-loader-manipulation", "cmd-injection-semantic-chained-commands", "cmd-injection-semantic-dangerous-paths", "cmd-injection-command-backdoors", "cmd-injection-process-hardening", "cmd-injection", "expression-language-injection", "jndi-injection", "ssjs-injection", "unsafe-file-upload", "untrusted-deserialization","xxe") | project-rename hostname_s = host_hostname_s) on incidentId_s
//Please add your EDR table name in place of ContrastWAFLogs_CL and hostname's column name in place of hostname_s below and uncomment the queries below
//| join kind = inner ( ContrastWAFLogs_CL
//| where TimeGenerated >= ago(5m)) on hostname_s
name: Contrast ADR - EDR Alert Correlation
kind: Scheduled
tactics:
- Execution
- DefenseEvasion
- InitialAccess
- CommandAndControl
triggerThreshold: 0
triggerOperator: gt
version: 1.0.1
status: Available
alertDetailsOverride:
alertDisplayNameFormat: EDR Alert Confirmed {{result_s}} by Contrast ADR on {{application_name_s}}
alertDescriptionFormat: EDR Alert Confirmed {{result_s}} by Contrast ADR on {{application_name_s}}
incidentConfiguration:
createIncident: true
groupingConfiguration:
reopenClosedIncident: false
enabled: true
matchingMethod: Selected
groupByEntities:
- Host
lookbackDuration: PT1H
queryFrequency: 5m
id: c1c6ba64-134e-403b-b9a6-1bebc90809a4
requiredDataConnectors:
- connectorId: ContrastADR
dataTypes:
- ContrastADRIncident_CL
- ContrastADR_CL
eventGroupingSettings:
aggregationKind: AlertPerResult
relevantTechniques:
- T1059
- T1055
- T1190
- T1008
description: |
'Correlates Contrast ADR incidents with specific high-risk attack patterns including command injection, deserialization attacks, and file upload vulnerabilities. This rule identifies confirmed security events that require immediate attention from security teams.'
entityMappings:
- entityType: Host
fieldMappings:
- columnName: host_hostname_s
identifier: HostName
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Confirmed_EDR.yaml
queryPeriod: 5m
severity: Medium
query: |
ContrastADRIncident_CL
| join kind=inner (ContrastADR_CL | where rule_s in~("class-loader-manipulation", "cmd-injection-semantic-chained-commands", "cmd-injection-semantic-dangerous-paths", "cmd-injection-command-backdoors", "cmd-injection-process-hardening", "cmd-injection", "expression-language-injection", "jndi-injection", "ssjs-injection", "unsafe-file-upload", "untrusted-deserialization","xxe") | project-rename hostname_s = host_hostname_s) on incidentId_s
//Please add your EDR table name in place of ContrastWAFLogs_CL and hostname's column name in place of hostname_s below and uncomment the queries below
//| join kind = inner ( ContrastWAFLogs_CL
//| where TimeGenerated >= ago(5m)) on hostname_s