Contrast ADR - EDR Alert Correlation
| Id | c1c6ba64-134e-403b-b9a6-1bebc90809a4 |
| Rulename | Contrast ADR - EDR Alert Correlation |
| Description | Correlates Contrast ADR incidents with specific high-risk attack patterns including command injection, deserialization attacks, and file upload vulnerabilities. This rule identifies confirmed security events that require immediate attention from security teams. |
| Severity | Medium |
| Tactics | Execution DefenseEvasion InitialAccess CommandAndControl |
| Techniques | T1059 T1055 T1190 T1008 |
| Required data connectors | ContrastADRCCF |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Confirmed_EDR.yaml |
| Version | 1.0.2 |
| Arm template | c1c6ba64-134e-403b-b9a6-1bebc90809a4.json |
ContrastADRIncidents_CL
| join kind=inner (ContrastADRAttackEvents_CL | where rule in~("class-loader-manipulation", "cmd-injection-semantic-chained-commands", "cmd-injection-semantic-dangerous-paths", "cmd-injection-command-backdoors", "cmd-injection-process-hardening", "cmd-injection", "expression-language-injection", "jndi-injection", "ssjs-injection", "unsafe-file-upload", "untrusted-deserialization","xxe") | project-rename hostname = host_hostname) on incidentId
//Please add your EDR table name in place of ContrastWAFLogs_CL and hostname's column name in place of hostname below and uncomment the queries below
//| join kind = inner ( ContrastWAFLogs_CL
//| where TimeGenerated >= ago(5m)) on hostname
name: Contrast ADR - EDR Alert Correlation
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
enabled: true
matchingMethod: Selected
groupByEntities:
- Host
lookbackDuration: PT1H
createIncident: true
query: |
ContrastADRIncidents_CL
| join kind=inner (ContrastADRAttackEvents_CL | where rule in~("class-loader-manipulation", "cmd-injection-semantic-chained-commands", "cmd-injection-semantic-dangerous-paths", "cmd-injection-command-backdoors", "cmd-injection-process-hardening", "cmd-injection", "expression-language-injection", "jndi-injection", "ssjs-injection", "unsafe-file-upload", "untrusted-deserialization","xxe") | project-rename hostname = host_hostname) on incidentId
//Please add your EDR table name in place of ContrastWAFLogs_CL and hostname's column name in place of hostname below and uncomment the queries below
//| join kind = inner ( ContrastWAFLogs_CL
//| where TimeGenerated >= ago(5m)) on hostname
entityMappings:
- entityType: Host
fieldMappings:
- columnName: hostname
identifier: HostName
queryPeriod: 5m
version: 1.0.2
tactics:
- Execution
- DefenseEvasion
- InitialAccess
- CommandAndControl
triggerOperator: gt
kind: Scheduled
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Confirmed_EDR.yaml
eventGroupingSettings:
aggregationKind: AlertPerResult
alertDetailsOverride:
alertDescriptionFormat: EDR Alert Confirmed {{result}} by Contrast ADR on {{application_name}}
alertDisplayNameFormat: EDR Alert Confirmed {{result}} by Contrast ADR on {{application_name}}
relevantTechniques:
- T1059
- T1055
- T1190
- T1008
id: c1c6ba64-134e-403b-b9a6-1bebc90809a4
severity: Medium
requiredDataConnectors:
- connectorId: ContrastADRCCF
dataTypes:
- ContrastADRIncidents_CL
- ContrastADRAttackEvents_CL
status: Available
description: |
'Correlates Contrast ADR incidents with specific high-risk attack patterns including command injection, deserialization attacks, and file upload vulnerabilities. This rule identifies confirmed security events that require immediate attention from security teams.'
queryFrequency: 5m