Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Contrast Exploits

Back
Ide1abb6ed-be18-40fd-be58-3d3d84041daf
RulenameContrast Exploits
DescriptionCreates Incidents for Exploit events sourced from the Contrast Protect agent.
SeverityHigh
TacticsInitialAccess
Exfiltration
TechniquesT1566
Required data connectorsCefAma
ContrastProtect
ContrastProtectAma
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast Protect/Analytic Rules/ContrastExploits.yaml
Version1.0.2
Arm templatee1abb6ed-be18-40fd-be58-3d3d84041daf.json
Deploy To Azure
let extract_data=(a:string, k:string) {
  parse_urlquery(replace(@';', @'&', a))["Query Parameters"][k]
};

CommonSecurityLog 
| where DeviceVendor == "Contrast Security"
| where AdditionalExtensions contains "EXPLOITED"
| extend DeviceProduct
| extend SourceIP
| extend DeviceVersion
| extend Activity
| extend ApplicationProtocol
| extend RequestURL
| extend RequestMethod
| extend Rule = extract_data(AdditionalExtensions, 'pri')
status: Available
queryPeriod: 5m
version: 1.0.2
queryFrequency: 5m
tactics:
- InitialAccess
- Exfiltration
name: Contrast Exploits
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast Protect/Analytic Rules/ContrastExploits.yaml
customDetails:
  Details: AdditionalExtensions
  AgentVersion: DeviceVersion
  Application: ApplicationProtocol
  Agent: DeviceProduct
  Attack: Activity
id: e1abb6ed-be18-40fd-be58-3d3d84041daf
query: |
  let extract_data=(a:string, k:string) {
    parse_urlquery(replace(@';', @'&', a))["Query Parameters"][k]
  };

  CommonSecurityLog 
  | where DeviceVendor == "Contrast Security"
  | where AdditionalExtensions contains "EXPLOITED"
  | extend DeviceProduct
  | extend SourceIP
  | extend DeviceVersion
  | extend Activity
  | extend ApplicationProtocol
  | extend RequestURL
  | extend RequestMethod
  | extend Rule = extract_data(AdditionalExtensions, 'pri')  
kind: Scheduled
severity: High
triggerOperator: gt
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: ContrastProtect
- dataTypes:
  - CommonSecurityLog
  connectorId: ContrastProtectAma
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: SourceIP
  entityType: IP
- fieldMappings:
  - identifier: Url
    columnName: RequestURL
  entityType: URL
- fieldMappings:
  - identifier: Name
    columnName: ApplicationProtocol
  entityType: CloudApplication
- fieldMappings:
  - identifier: Name
    columnName: Activity
  - identifier: Category
    columnName: Rule
  entityType: Malware
relevantTechniques:
- T1566
description: |
    'Creates Incidents for Exploit events sourced from the Contrast Protect agent.'
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e1abb6ed-be18-40fd-be58-3d3d84041daf')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e1abb6ed-be18-40fd-be58-3d3d84041daf')]",
      "properties": {
        "alertRuleTemplateName": "e1abb6ed-be18-40fd-be58-3d3d84041daf",
        "customDetails": {
          "Agent": "DeviceProduct",
          "AgentVersion": "DeviceVersion",
          "Application": "ApplicationProtocol",
          "Attack": "Activity",
          "Details": "AdditionalExtensions"
        },
        "description": "'Creates Incidents for Exploit events sourced from the Contrast Protect agent.'\n",
        "displayName": "Contrast Exploits",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "RequestURL",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "ApplicationProtocol",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "Malware",
            "fieldMappings": [
              {
                "columnName": "Activity",
                "identifier": "Name"
              },
              {
                "columnName": "Rule",
                "identifier": "Category"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast Protect/Analytic Rules/ContrastExploits.yaml",
        "query": "let extract_data=(a:string, k:string) {\n  parse_urlquery(replace(@';', @'&', a))[\"Query Parameters\"][k]\n};\n\nCommonSecurityLog \n| where DeviceVendor == \"Contrast Security\"\n| where AdditionalExtensions contains \"EXPLOITED\"\n| extend DeviceProduct\n| extend SourceIP\n| extend DeviceVersion\n| extend Activity\n| extend ApplicationProtocol\n| extend RequestURL\n| extend RequestMethod\n| extend Rule = extract_data(AdditionalExtensions, 'pri')\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration",
          "InitialAccess"
        ],
        "techniques": [
          "T1566"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}