Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Contrast Suspicious

Back
Idf713404e-805c-4e0c-91fa-2c149f76a07d
RulenameContrast Suspicious
DescriptionCreates Incidents for Suspicious events sourced from the Contrast Protect agent.
SeverityMedium
TacticsInitialAccess
Exfiltration
TechniquesT1566
Required data connectorsContrastProtect
ContrastProtectAma
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast Protect/Analytic Rules/ContrastSuspicious.yaml
Version1.0.1
Arm templatef713404e-805c-4e0c-91fa-2c149f76a07d.json
Deploy To Azure
let extract_data=(a:string, k:string) {
  parse_urlquery(replace(@';', @'&', a))["Query Parameters"][k]
};

CommonSecurityLog 
| where DeviceVendor == "Contrast Security"
| where AdditionalExtensions contains "SUSPICIOUS"
| extend DeviceProduct
| extend SourceIP
| extend DeviceVersion
| extend Activity
| extend ApplicationProtocol
| extend RequestURL
| extend RequestMethod
| extend Rule = extract_data(AdditionalExtensions, 'pri')
version: 1.0.1
name: Contrast Suspicious
severity: Medium
queryFrequency: 5m
kind: Scheduled
queryPeriod: 5m
description: |
    'Creates Incidents for Suspicious events sourced from the Contrast Protect agent.'
query: |
  let extract_data=(a:string, k:string) {
    parse_urlquery(replace(@';', @'&', a))["Query Parameters"][k]
  };

  CommonSecurityLog 
  | where DeviceVendor == "Contrast Security"
  | where AdditionalExtensions contains "SUSPICIOUS"
  | extend DeviceProduct
  | extend SourceIP
  | extend DeviceVersion
  | extend Activity
  | extend ApplicationProtocol
  | extend RequestURL
  | extend RequestMethod
  | extend Rule = extract_data(AdditionalExtensions, 'pri')  
tactics:
- InitialAccess
- Exfiltration
triggerOperator: gt
customDetails:
  Agent: DeviceProduct
  Attack: Activity
  Application: ApplicationProtocol
  AgentVersion: DeviceVersion
  Details: AdditionalExtensions
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast Protect/Analytic Rules/ContrastSuspicious.yaml
requiredDataConnectors:
- connectorId: ContrastProtect
  dataTypes:
  - CommonSecurityLog
- connectorId: ContrastProtectAma
  dataTypes:
  - CommonSecurityLog
status: Available
relevantTechniques:
- T1566
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SourceIP
    identifier: Address
- entityType: URL
  fieldMappings:
  - columnName: RequestURL
    identifier: Url
- entityType: CloudApplication
  fieldMappings:
  - columnName: ApplicationProtocol
    identifier: Name
- entityType: Malware
  fieldMappings:
  - columnName: Activity
    identifier: Name
  - columnName: Rule
    identifier: Category
id: f713404e-805c-4e0c-91fa-2c149f76a07d
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f713404e-805c-4e0c-91fa-2c149f76a07d')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f713404e-805c-4e0c-91fa-2c149f76a07d')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Contrast Suspicious",
        "description": "'Creates Incidents for Suspicious events sourced from the Contrast Protect agent.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let extract_data=(a:string, k:string) {\n  parse_urlquery(replace(@';', @'&', a))[\"Query Parameters\"][k]\n};\n\nCommonSecurityLog \n| where DeviceVendor == \"Contrast Security\"\n| where AdditionalExtensions contains \"SUSPICIOUS\"\n| extend DeviceProduct\n| extend SourceIP\n| extend DeviceVersion\n| extend Activity\n| extend ApplicationProtocol\n| extend RequestURL\n| extend RequestMethod\n| extend Rule = extract_data(AdditionalExtensions, 'pri')\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess",
          "Exfiltration"
        ],
        "techniques": [
          "T1566"
        ],
        "alertRuleTemplateName": "f713404e-805c-4e0c-91fa-2c149f76a07d",
        "customDetails": {
          "Details": "AdditionalExtensions",
          "Application": "ApplicationProtocol",
          "Agent": "DeviceProduct",
          "AgentVersion": "DeviceVersion",
          "Attack": "Activity"
        },
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "SourceIP",
                "identifier": "Address"
              }
            ],
            "entityType": "IP"
          },
          {
            "fieldMappings": [
              {
                "columnName": "RequestURL",
                "identifier": "Url"
              }
            ],
            "entityType": "URL"
          },
          {
            "fieldMappings": [
              {
                "columnName": "ApplicationProtocol",
                "identifier": "Name"
              }
            ],
            "entityType": "CloudApplication"
          },
          {
            "fieldMappings": [
              {
                "columnName": "Activity",
                "identifier": "Name"
              },
              {
                "columnName": "Rule",
                "identifier": "Category"
              }
            ],
            "entityType": "Malware"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Contrast Protect/Analytic Rules/ContrastSuspicious.yaml",
        "templateVersion": "1.0.1",
        "status": "Available"
      }
    }
  ]
}