Contrast ADR - EDR Alert Correlation

Back


Id	c1c6ba64-134e-403b-b9a6-1bebc90809a4
Rulename	Contrast ADR - EDR Alert Correlation
Description	Correlates Contrast ADR incidents with specific high-risk attack patterns including command injection, deserialization attacks, and file upload vulnerabilities. This rule identifies confirmed security events that require immediate attention from security teams.
Severity	Medium
Tactics	Execution DefenseEvasion InitialAccess CommandAndControl
Techniques	T1059 T1055 T1190 T1008
Required data connectors	ContrastADR
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Confirmed_EDR.yaml
Version	1.0.1
Arm template	c1c6ba64-134e-403b-b9a6-1bebc90809a4.json

KQL

ContrastADRIncident_CL
| join kind=inner (ContrastADR_CL | where rule_s in~("class-loader-manipulation", "cmd-injection-semantic-chained-commands", "cmd-injection-semantic-dangerous-paths", "cmd-injection-command-backdoors", "cmd-injection-process-hardening", "cmd-injection", "expression-language-injection", "jndi-injection", "ssjs-injection", "unsafe-file-upload", "untrusted-deserialization","xxe") | project-rename hostname_s = host_hostname_s) on incidentId_s
//Please add your EDR table name in place of ContrastWAFLogs_CL and hostname's column name in place of hostname_s below and uncomment the queries below
//| join kind = inner ( ContrastWAFLogs_CL
//| where TimeGenerated >= ago(5m)) on hostname_s

YAML

version: 1.0.1
queryFrequency: 5m
kind: Scheduled
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1059
- T1055
- T1190
- T1008
alertDetailsOverride:
  alertDisplayNameFormat: EDR Alert Confirmed {{result_s}} by Contrast ADR on {{application_name_s}}
  alertDescriptionFormat: EDR Alert Confirmed {{result_s}} by Contrast ADR on {{application_name_s}}
triggerOperator: gt
status: Available
requiredDataConnectors:
- connectorId: ContrastADR
  dataTypes:
  - ContrastADRIncident_CL
  - ContrastADR_CL
id: c1c6ba64-134e-403b-b9a6-1bebc90809a4
name: Contrast ADR - EDR Alert Correlation
query: |
  ContrastADRIncident_CL
  | join kind=inner (ContrastADR_CL | where rule_s in~("class-loader-manipulation", "cmd-injection-semantic-chained-commands", "cmd-injection-semantic-dangerous-paths", "cmd-injection-command-backdoors", "cmd-injection-process-hardening", "cmd-injection", "expression-language-injection", "jndi-injection", "ssjs-injection", "unsafe-file-upload", "untrusted-deserialization","xxe") | project-rename hostname_s = host_hostname_s) on incidentId_s
  //Please add your EDR table name in place of ContrastWAFLogs_CL and hostname's column name in place of hostname_s below and uncomment the queries below
  //| join kind = inner ( ContrastWAFLogs_CL
  //| where TimeGenerated >= ago(5m)) on hostname_s  
queryPeriod: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Confirmed_EDR.yaml
triggerThreshold: 0
description: |
    'Correlates Contrast ADR incidents with specific high-risk attack patterns including command injection, deserialization attacks, and file upload vulnerabilities. This rule identifies confirmed security events that require immediate attention from security teams.'
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: host_hostname_s
severity: Medium
tactics:
- Execution
- DefenseEvasion
- InitialAccess
- CommandAndControl
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: PT1H
    matchingMethod: Selected
    groupByEntities:
    - Host
    reopenClosedIncident: false
    enabled: true

ARM