Contrast ADR - Exploited Attack in Production

ContrastADR_CL
| where result_s =~ "exploited" and environment_s =~ "production"

description: |
    'Detects successful exploitation of security vulnerabilities in production environments as identified by Contrast ADR. This rule triggers on confirmed exploited attacks in production systems, requiring immediate incident response and remediation.'
version: 1.0.0
triggerThreshold: 0
tactics:
- InitialAccess
- Execution
- DefenseEvasion
- LateralMovement
- CommandAndControl
queryPeriod: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event_in_Production.yaml
triggerOperator: gt
status: Available
alertDetailsOverride:
  alertDisplayNameFormat: '{{result_s}} {{rule_s}} from {{SourceIP}} in Production'
  alertDescriptionFormat: '{{result_s}}  on {{request_headers_referer_s}}  endpoint of {{application_name_s}} '
eventGroupingSettings:
  aggregationKind: AlertPerResult
id: 31417149-f3a2-4db4-9e5f-85e0a464f6a1
name: Contrast ADR - Exploited Attack in Production
queryFrequency: 5m
severity: High
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    groupByEntities:
    - IP
    - Host
    reopenClosedIncident: false
    matchingMethod: Selected
    lookbackDuration: PT30M
kind: Scheduled
entityMappings:
- fieldMappings:
  - columnName: SourceIP
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: host_hostname_s
    identifier: HostName
  entityType: Host
relevantTechniques:
- T1190
- T1059
- T1055
- T1210
- T1008
query: |
  ContrastADR_CL
  | where result_s =~ "exploited" and environment_s =~ "production"  
requiredDataConnectors:
- dataTypes:
  - ContrastADR_CL
  connectorId: ContrastADR