Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Contrast Exploits

Contrast Exploits

Back
Ide1abb6ed-be18-40fd-be58-3d3d84041daf
RulenameContrast Exploits
DescriptionCreates Incidents for Exploit events sourced from the Contrast Protect agent.
SeverityHigh
TacticsInitialAccess
Exfiltration
TechniquesT1566
Required data connectorsCefAma
ContrastProtect
ContrastProtectAma
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast Protect/Analytic Rules/ContrastExploits.yaml
Version1.0.2
Arm templatee1abb6ed-be18-40fd-be58-3d3d84041daf.json
Deploy To Azure
let extract_data=(a:string, k:string) {
  parse_urlquery(replace(@';', @'&', a))["Query Parameters"][k]
};

CommonSecurityLog 
| where DeviceVendor == "Contrast Security"
| where AdditionalExtensions contains "EXPLOITED"
| extend DeviceProduct
| extend SourceIP
| extend DeviceVersion
| extend Activity
| extend ApplicationProtocol
| extend RequestURL
| extend RequestMethod
| extend Rule = extract_data(AdditionalExtensions, 'pri')

relevantTechniques:
- T1566
entityMappings:
- fieldMappings:
  - columnName: SourceIP
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: RequestURL
    identifier: Url
  entityType: URL
- fieldMappings:
  - columnName: ApplicationProtocol
    identifier: Name
  entityType: CloudApplication
- fieldMappings:
  - columnName: Activity
    identifier: Name
  - columnName: Rule
    identifier: Category
  entityType: Malware
triggerThreshold: 0
description: |
    'Creates Incidents for Exploit events sourced from the Contrast Protect agent.'
customDetails:
  Application: ApplicationProtocol
  AgentVersion: DeviceVersion
  Details: AdditionalExtensions
  Attack: Activity
  Agent: DeviceProduct
requiredDataConnectors:
- connectorId: ContrastProtect
  dataTypes:
  - CommonSecurityLog
- connectorId: ContrastProtectAma
  dataTypes:
  - CommonSecurityLog
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
triggerOperator: gt
version: 1.0.2
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast Protect/Analytic Rules/ContrastExploits.yaml
id: e1abb6ed-be18-40fd-be58-3d3d84041daf
queryFrequency: 5m
query: |
  let extract_data=(a:string, k:string) {
    parse_urlquery(replace(@';', @'&', a))["Query Parameters"][k]
  };

  CommonSecurityLog 
  | where DeviceVendor == "Contrast Security"
  | where AdditionalExtensions contains "EXPLOITED"
  | extend DeviceProduct
  | extend SourceIP
  | extend DeviceVersion
  | extend Activity
  | extend ApplicationProtocol
  | extend RequestURL
  | extend RequestMethod
  | extend Rule = extract_data(AdditionalExtensions, 'pri')  
severity: High
status: Available
queryPeriod: 5m
name: Contrast Exploits
tactics:
- InitialAccess
- Exfiltration
kind: Scheduled