detection.wiki

Detection rules › Kusto

Contrast ADR - Security Incident Alert

This is a third-party alert feed, not a detection over modeled telemetry. The vendor product raised the finding; this rule forwards it into the SIEM. It is searchable for reference but is excluded from the detection-rule browse and the ATT&CK coverage matrix.

Status
available
Severity
medium
Time window
5m
Source
github.com/Azure/Azure-Sentinel

'Monitors Contrast ADR security incidents across all applications and environments. This rule creates alerts for all security incidents detected by Contrast Security ADR, providing comprehensive visibility into application security events requiring investigation.'

MITRE ATT&CK coverage

TacticTechniques
Initial AccessT1190 Exploit Public-Facing Application
StealthT1055 Process Injection
DiscoveryT1018 Remote System Discovery
Command & ControlT1008 Fallback Channels

Rule body kusto

id: 7ce5956f-48f2-42f5-8e2e-c254e7643c11
name: Contrast ADR - Security Incident Alert
description: |
  'Monitors Contrast ADR security incidents across all applications and environments. This rule creates alerts for all security incidents detected by Contrast Security ADR, providing comprehensive visibility into application security events requiring investigation.'
severity: Medium
status: Available
requiredDataConnectors:
  - connectorId: ContrastADRCCF
    dataTypes:
      - ContrastADRIncidents_CL
queryFrequency: 5m
queryPeriod: 5m
triggerOperator: gt
triggerThreshold: 0
tactics:
  - InitialAccess
  - DefenseEvasion
  - Discovery
  - CommandAndControl
relevantTechniques:
  - T1190
  - T1055
  - T1018
  - T1008
query: |
 ContrastADRIncidents_CL
entityMappings:
  - entityType: SecurityGroup
    fieldMappings:
      - identifier: ObjectGuid
        columnName: incidentId
alertDetailsOverride:
  alertDisplayNameFormat: '{{incidentName}}'
  alertDescriptionFormat: '{{summary}}'
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT1H
    matchingMethod: Selected
    groupByEntities:
      - SecurityGroup
eventGroupingSettings:
  aggregationKind: AlertPerResult
kind: Scheduled
version: 1.0.1

Stages and Predicates

Stage 1: source

ContrastADRIncidents_CL