Contrast ADR - EDR Alert Correlation
| Id | c1c6ba64-134e-403b-b9a6-1bebc90809a4 |
| Rulename | Contrast ADR - EDR Alert Correlation |
| Description | Correlates Contrast ADR incidents with specific high-risk attack patterns including command injection, deserialization attacks, and file upload vulnerabilities. This rule identifies confirmed security events that require immediate attention from security teams. |
| Severity | Medium |
| Tactics | Execution DefenseEvasion InitialAccess CommandAndControl |
| Techniques | T1059 T1055 T1190 T1008 |
| Required data connectors | ContrastADRCCF |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Confirmed_EDR.yaml |
| Version | 1.0.2 |
| Arm template | c1c6ba64-134e-403b-b9a6-1bebc90809a4.json |
ContrastADRIncidents_CL
| join kind=inner (ContrastADRAttackEvents_CL | where rule in~("class-loader-manipulation", "cmd-injection-semantic-chained-commands", "cmd-injection-semantic-dangerous-paths", "cmd-injection-command-backdoors", "cmd-injection-process-hardening", "cmd-injection", "expression-language-injection", "jndi-injection", "ssjs-injection", "unsafe-file-upload", "untrusted-deserialization","xxe") | project-rename hostname = host_hostname) on incidentId
//Please add your EDR table name in place of ContrastWAFLogs_CL and hostname's column name in place of hostname below and uncomment the queries below
//| join kind = inner ( ContrastWAFLogs_CL
//| where TimeGenerated >= ago(5m)) on hostname
relevantTechniques:
- T1059
- T1055
- T1190
- T1008
name: Contrast ADR - EDR Alert Correlation
version: 1.0.2
entityMappings:
- fieldMappings:
- columnName: hostname
identifier: HostName
entityType: Host
triggerThreshold: 0
alertDetailsOverride:
alertDisplayNameFormat: EDR Alert Confirmed {{result}} by Contrast ADR on {{application_name}}
alertDescriptionFormat: EDR Alert Confirmed {{result}} by Contrast ADR on {{application_name}}
kind: Scheduled
queryFrequency: 5m
description: |
'Correlates Contrast ADR incidents with specific high-risk attack patterns including command injection, deserialization attacks, and file upload vulnerabilities. This rule identifies confirmed security events that require immediate attention from security teams.'
queryPeriod: 5m
id: c1c6ba64-134e-403b-b9a6-1bebc90809a4
requiredDataConnectors:
- connectorId: ContrastADRCCF
dataTypes:
- ContrastADRIncidents_CL
- ContrastADRAttackEvents_CL
tactics:
- Execution
- DefenseEvasion
- InitialAccess
- CommandAndControl
severity: Medium
status: Available
eventGroupingSettings:
aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Confirmed_EDR.yaml
query: |
ContrastADRIncidents_CL
| join kind=inner (ContrastADRAttackEvents_CL | where rule in~("class-loader-manipulation", "cmd-injection-semantic-chained-commands", "cmd-injection-semantic-dangerous-paths", "cmd-injection-command-backdoors", "cmd-injection-process-hardening", "cmd-injection", "expression-language-injection", "jndi-injection", "ssjs-injection", "unsafe-file-upload", "untrusted-deserialization","xxe") | project-rename hostname = host_hostname) on incidentId
//Please add your EDR table name in place of ContrastWAFLogs_CL and hostname's column name in place of hostname below and uncomment the queries below
//| join kind = inner ( ContrastWAFLogs_CL
//| where TimeGenerated >= ago(5m)) on hostname
triggerOperator: gt
incidentConfiguration:
createIncident: true
groupingConfiguration:
groupByEntities:
- Host
reopenClosedIncident: false
enabled: true
matchingMethod: Selected
lookbackDuration: PT1H