Skip to content

Commit 173e2ea

Browse files
v-atulyadavv-atulyadav
authored
Merge pull request Azure#13287 from Contrast-Security-OSS/contrast_adr_rule_update
Updated EDR Detection rule
2 parents 5ed59d8 + c7156b2 commit 173e2ea

File tree

4 files changed

+46
-44
lines changed

4 files changed

+46
-44
lines changed

.script/tests/KqlvalidationsTests/CustomTables/ContrastADR_CL.json

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,10 @@
7676
{
7777
"Name": "incident_id_s",
7878
"Type": "String"
79+
},
80+
{
81+
"Name": "incidentId_s",
82+
"Type": "String"
7983
},
8084
{
8185
"Name": "codeLocation_file_s",

Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Confirmed_EDR.yaml

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -25,9 +25,7 @@ relevantTechniques:
2525
- T1008
2626
query: |
2727
ContrastADRIncident_CL
28-
| project-rename incident_id_s = incidentId_s
29-
| join kind=inner (ContrastADR_CL | where rule_s in~("class-loader-manipulation", "cmd-injection-semantic-chained-commands", "cmd-injection-semantic-dangerous-paths", "cmd-injection-command-backdoors", "cmd-injection-process-hardening", "cmd-injection", "expression-language-injection", "jndi-injection", "ssjs-injection", "unsafe-file-upload", "untrusted-deserialization","xxe")) on incident_id_s
30-
| project-rename hostname_s = host_hostname_s
28+
| join kind=inner (ContrastADR_CL | where rule_s in~("class-loader-manipulation", "cmd-injection-semantic-chained-commands", "cmd-injection-semantic-dangerous-paths", "cmd-injection-command-backdoors", "cmd-injection-process-hardening", "cmd-injection", "expression-language-injection", "jndi-injection", "ssjs-injection", "unsafe-file-upload", "untrusted-deserialization","xxe") | project-rename hostname_s = host_hostname_s) on incidentId_s
3129
//Please add your EDR table name in place of ContrastWAFLogs_CL and hostname's column name in place of hostname_s below and uncomment the queries below
3230
//| join kind = inner ( ContrastWAFLogs_CL
3331
//| where TimeGenerated >= ago(5m)) on hostname_s
@@ -51,4 +49,4 @@ incidentConfiguration:
5149
eventGroupingSettings:
5250
aggregationKind: AlertPerResult
5351
kind: Scheduled
54-
version: 1.0.0
52+
version: 1.0.1

Solutions/ContrastADR/Package/3.0.1.zip

-13 Bytes
Binary file not shown.

Solutions/ContrastADR/Package/mainTemplate.json

Lines changed: 40 additions & 40 deletions
Original file line numberDiff line numberDiff line change
@@ -137,11 +137,11 @@
137137
"_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','93641436-afb3-4921-8828-ceab0d15aaab','-', '1.0.0')))]"
138138
},
139139
"analyticRuleObject2": {
140-
"analyticRuleVersion2": "1.0.0",
140+
"analyticRuleVersion2": "1.0.1",
141141
"_analyticRulecontentId2": "c1c6ba64-134e-403b-b9a6-1bebc90809a4",
142142
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c1c6ba64-134e-403b-b9a6-1bebc90809a4')]",
143143
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c1c6ba64-134e-403b-b9a6-1bebc90809a4')))]",
144-
"_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c1c6ba64-134e-403b-b9a6-1bebc90809a4','-', '1.0.0')))]"
144+
"_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c1c6ba64-134e-403b-b9a6-1bebc90809a4','-', '1.0.1')))]"
145145
},
146146
"analyticRuleObject3": {
147147
"analyticRuleVersion3": "1.0.0",
@@ -874,15 +874,15 @@
874874
"aggregationKind": "AlertPerResult"
875875
},
876876
"alertDetailsOverride": {
877-
"alertDescriptionFormat": "WAF Alert Confirmed {{result_s}} by Contrast ADR on {{request_headers_referer_s}} endpoint of {{application_name_s}} ",
878-
"alertDisplayNameFormat": "WAF Alert Confirmed {{result_s}} by Contrast ADR on {{request_headers_referer_s}} endpoint of {{application_name_s}} "
877+
"alertDisplayNameFormat": "WAF Alert Confirmed {{result_s}} by Contrast ADR on {{request_headers_referer_s}} endpoint of {{application_name_s}} ",
878+
"alertDescriptionFormat": "WAF Alert Confirmed {{result_s}} by Contrast ADR on {{request_headers_referer_s}} endpoint of {{application_name_s}} "
879879
},
880880
"incidentConfiguration": {
881881
"createIncident": true,
882882
"groupingConfiguration": {
883-
"enabled": true,
884-
"reopenClosedIncident": false,
885883
"matchingMethod": "Selected",
884+
"reopenClosedIncident": false,
885+
"enabled": true,
886886
"lookbackDuration": "PT1H"
887887
}
888888
}
@@ -954,7 +954,7 @@
954954
"description": "Correlates Contrast ADR incidents with specific high-risk attack patterns including command injection, deserialization attacks, and file upload vulnerabilities. This rule identifies confirmed security events that require immediate attention from security teams.",
955955
"displayName": "Contrast ADR - EDR Alert Correlation",
956956
"enabled": false,
957-
"query": "ContrastADRIncident_CL\n| project-rename incident_id_s = incidentId_s\n| join kind=inner (ContrastADR_CL | where rule_s in~(\"class-loader-manipulation\", \"cmd-injection-semantic-chained-commands\", \"cmd-injection-semantic-dangerous-paths\", \"cmd-injection-command-backdoors\", \"cmd-injection-process-hardening\", \"cmd-injection\", \"expression-language-injection\", \"jndi-injection\", \"ssjs-injection\", \"unsafe-file-upload\", \"untrusted-deserialization\",\"xxe\")) on incident_id_s\n| project-rename hostname_s = host_hostname_s\n//Please add your EDR table name in place of ContrastWAFLogs_CL and hostname's column name in place of hostname_s below and uncomment the queries below\n//| join kind = inner ( ContrastWAFLogs_CL\n//| where TimeGenerated >= ago(5m)) on hostname_s\n",
957+
"query": "ContrastADRIncident_CL\n| join kind=inner (ContrastADR_CL | where rule_s in~(\"class-loader-manipulation\", \"cmd-injection-semantic-chained-commands\", \"cmd-injection-semantic-dangerous-paths\", \"cmd-injection-command-backdoors\", \"cmd-injection-process-hardening\", \"cmd-injection\", \"expression-language-injection\", \"jndi-injection\", \"ssjs-injection\", \"unsafe-file-upload\", \"untrusted-deserialization\",\"xxe\") | project-rename hostname_s = host_hostname_s) on incidentId_s\n//Please add your EDR table name in place of ContrastWAFLogs_CL and hostname's column name in place of hostname_s below and uncomment the queries below\n//| join kind = inner ( ContrastWAFLogs_CL\n//| where TimeGenerated >= ago(5m)) on hostname_s\n",
958958
"queryFrequency": "PT5M",
959959
"queryPeriod": "PT5M",
960960
"severity": "Medium",
@@ -999,19 +999,19 @@
999999
"aggregationKind": "AlertPerResult"
10001000
},
10011001
"alertDetailsOverride": {
1002-
"alertDescriptionFormat": "EDR Alert Confirmed {{result_s}} by Contrast ADR on {{application_name_s}}",
1003-
"alertDisplayNameFormat": "EDR Alert Confirmed {{result_s}} by Contrast ADR on {{application_name_s}}"
1002+
"alertDisplayNameFormat": "EDR Alert Confirmed {{result_s}} by Contrast ADR on {{application_name_s}}",
1003+
"alertDescriptionFormat": "EDR Alert Confirmed {{result_s}} by Contrast ADR on {{application_name_s}}"
10041004
},
10051005
"incidentConfiguration": {
10061006
"createIncident": true,
10071007
"groupingConfiguration": {
1008-
"enabled": true,
1009-
"reopenClosedIncident": false,
10101008
"matchingMethod": "Selected",
1011-
"lookbackDuration": "PT1H",
10121009
"groupByEntities": [
10131010
"Host"
1014-
]
1011+
],
1012+
"reopenClosedIncident": false,
1013+
"enabled": true,
1014+
"lookbackDuration": "PT1H"
10151015
}
10161016
}
10171017
}
@@ -1137,20 +1137,20 @@
11371137
"aggregationKind": "AlertPerResult"
11381138
},
11391139
"alertDetailsOverride": {
1140-
"alertDescriptionFormat": "{{result_s}} on {{request_headers_referer_s}} endpoint of {{application_name_s}} ",
1141-
"alertDisplayNameFormat": "{{result_s}} {{rule_s}} from {{SourceIP}} in Production"
1140+
"alertDisplayNameFormat": "{{result_s}} {{rule_s}} from {{SourceIP}} in Production",
1141+
"alertDescriptionFormat": "{{result_s}} on {{request_headers_referer_s}} endpoint of {{application_name_s}} "
11421142
},
11431143
"incidentConfiguration": {
11441144
"createIncident": true,
11451145
"groupingConfiguration": {
1146-
"enabled": true,
1147-
"reopenClosedIncident": false,
11481146
"matchingMethod": "Selected",
1149-
"lookbackDuration": "PT30M",
11501147
"groupByEntities": [
11511148
"IP",
11521149
"Host"
1153-
]
1150+
],
1151+
"reopenClosedIncident": false,
1152+
"enabled": true,
1153+
"lookbackDuration": "PT30M"
11541154
}
11551155
}
11561156
}
@@ -1277,27 +1277,27 @@
12771277
},
12781278
"customDetails": {
12791279
"TargetHost": "host_hostname_s",
1280-
"AttackRule": "rule_s",
1280+
"AttackResult": "result_s",
12811281
"ApplicationName": "application_name_s",
1282+
"Environment": "environment_s",
12821283
"AttackedEndpoint": "request_headers_referer_s",
1283-
"AttackResult": "result_s",
1284-
"Environment": "environment_s"
1284+
"AttackRule": "rule_s"
12851285
},
12861286
"alertDetailsOverride": {
1287-
"alertDescriptionFormat": "{{result_s}} on {{request_headers_referer_s}} endpoint of {{application_name_s}} ",
1288-
"alertDisplayNameFormat": "{{result_s}} {{rule_s}} from {{SourceIP}} "
1287+
"alertDisplayNameFormat": "{{result_s}} {{rule_s}} from {{SourceIP}} ",
1288+
"alertDescriptionFormat": "{{result_s}} on {{request_headers_referer_s}} endpoint of {{application_name_s}} "
12891289
},
12901290
"incidentConfiguration": {
12911291
"createIncident": true,
12921292
"groupingConfiguration": {
1293-
"enabled": true,
1294-
"reopenClosedIncident": false,
12951293
"matchingMethod": "Selected",
1296-
"lookbackDuration": "PT1H",
12971294
"groupByEntities": [
12981295
"IP",
12991296
"Host"
1300-
]
1297+
],
1298+
"reopenClosedIncident": false,
1299+
"enabled": true,
1300+
"lookbackDuration": "PT1H"
13011301
}
13021302
}
13031303
}
@@ -1432,20 +1432,20 @@
14321432
"aggregationKind": "AlertPerResult"
14331433
},
14341434
"alertDetailsOverride": {
1435-
"alertDescriptionFormat": "Confirmed active SQL Injection by Contrast ADR on {{request_headers_referer_s}} endpoint of {{application_name_s}} ",
1436-
"alertDisplayNameFormat": "Confirmed active SQL Injection by Contrast ADR on {{request_headers_referer_s}} endpoint of {{application_name_s}} "
1435+
"alertDisplayNameFormat": "Confirmed active SQL Injection by Contrast ADR on {{request_headers_referer_s}} endpoint of {{application_name_s}} ",
1436+
"alertDescriptionFormat": "Confirmed active SQL Injection by Contrast ADR on {{request_headers_referer_s}} endpoint of {{application_name_s}} "
14371437
},
14381438
"incidentConfiguration": {
14391439
"createIncident": true,
14401440
"groupingConfiguration": {
1441-
"enabled": true,
1442-
"reopenClosedIncident": false,
14431441
"matchingMethod": "Selected",
1444-
"lookbackDuration": "PT30M",
14451442
"groupByEntities": [
14461443
"Host",
14471444
"IP"
1448-
]
1445+
],
1446+
"reopenClosedIncident": false,
1447+
"enabled": true,
1448+
"lookbackDuration": "PT30M"
14491449
}
14501450
}
14511451
}
@@ -1560,20 +1560,20 @@
15601560
"aggregationKind": "AlertPerResult"
15611561
},
15621562
"alertDetailsOverride": {
1563-
"alertDescriptionFormat": "{{summary_s}}",
1564-
"alertDisplayNameFormat": "{{incidentName_s}}"
1563+
"alertDisplayNameFormat": "{{incidentName_s}}",
1564+
"alertDescriptionFormat": "{{summary_s}}"
15651565
},
15661566
"incidentConfiguration": {
15671567
"createIncident": true,
15681568
"groupingConfiguration": {
1569-
"enabled": true,
1570-
"reopenClosedIncident": false,
15711569
"matchingMethod": "Selected",
1572-
"lookbackDuration": "PT1H",
15731570
"groupByCustomDetails": [
15741571
"IncidentId",
15751572
"ApplicationName"
1576-
]
1573+
],
1574+
"reopenClosedIncident": false,
1575+
"enabled": true,
1576+
"lookbackDuration": "PT1H"
15771577
}
15781578
}
15791579
}

0 commit comments

Comments
 (0)