Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Contrast Suspicious

Contrast Suspicious

Back
Idf713404e-805c-4e0c-91fa-2c149f76a07d
RulenameContrast Suspicious
DescriptionCreates Incidents for Suspicious events sourced from the Contrast Protect agent.
SeverityMedium
TacticsInitialAccess
Exfiltration
TechniquesT1566
Required data connectorsCefAma
ContrastProtect
ContrastProtectAma
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast Protect/Analytic Rules/ContrastSuspicious.yaml
Version1.0.2
Arm templatef713404e-805c-4e0c-91fa-2c149f76a07d.json
Deploy To Azure
let extract_data=(a:string, k:string) {
  parse_urlquery(replace(@';', @'&', a))["Query Parameters"][k]
};

CommonSecurityLog 
| where DeviceVendor == "Contrast Security"
| where AdditionalExtensions contains "SUSPICIOUS"
| extend DeviceProduct
| extend SourceIP
| extend DeviceVersion
| extend Activity
| extend ApplicationProtocol
| extend RequestURL
| extend RequestMethod
| extend Rule = extract_data(AdditionalExtensions, 'pri')

name: Contrast Suspicious
query: |
  let extract_data=(a:string, k:string) {
    parse_urlquery(replace(@';', @'&', a))["Query Parameters"][k]
  };

  CommonSecurityLog 
  | where DeviceVendor == "Contrast Security"
  | where AdditionalExtensions contains "SUSPICIOUS"
  | extend DeviceProduct
  | extend SourceIP
  | extend DeviceVersion
  | extend Activity
  | extend ApplicationProtocol
  | extend RequestURL
  | extend RequestMethod
  | extend Rule = extract_data(AdditionalExtensions, 'pri')  
queryFrequency: 5m
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: ContrastProtect
- dataTypes:
  - CommonSecurityLog
  connectorId: ContrastProtectAma
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma
status: Available
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIP
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: RequestURL
- entityType: CloudApplication
  fieldMappings:
  - identifier: Name
    columnName: ApplicationProtocol
- entityType: Malware
  fieldMappings:
  - identifier: Name
    columnName: Activity
  - identifier: Category
    columnName: Rule
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast Protect/Analytic Rules/ContrastSuspicious.yaml
description: |
    'Creates Incidents for Suspicious events sourced from the Contrast Protect agent.'
version: 1.0.2
id: f713404e-805c-4e0c-91fa-2c149f76a07d
kind: Scheduled
customDetails:
  Application: ApplicationProtocol
  Agent: DeviceProduct
  Details: AdditionalExtensions
  AgentVersion: DeviceVersion
  Attack: Activity
relevantTechniques:
- T1566
severity: Medium
tactics:
- InitialAccess
- Exfiltration
queryPeriod: 5m