Contrast ADR - Exploited Attack in Production

ContrastADR_CL
| where result_s =~ "exploited" and environment_s =~ "production"

name: Contrast ADR - Exploited Attack in Production
relevantTechniques:
- T1190
- T1059
- T1055
- T1210
- T1008
id: 31417149-f3a2-4db4-9e5f-85e0a464f6a1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event_in_Production.yaml
requiredDataConnectors:
- dataTypes:
  - ContrastADR_CL
  connectorId: ContrastADR
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: PT30M
    reopenClosedIncident: false
    groupByEntities:
    - IP
    - Host
    matchingMethod: Selected
    enabled: true
  createIncident: true
version: 1.0.0
severity: High
triggerThreshold: 0
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryPeriod: 5m
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: SourceIP
  entityType: IP
- fieldMappings:
  - identifier: HostName
    columnName: host_hostname_s
  entityType: Host
alertDetailsOverride:
  alertDisplayNameFormat: '{{result_s}} {{rule_s}} from {{SourceIP}} in Production'
  alertDescriptionFormat: '{{result_s}}  on {{request_headers_referer_s}}  endpoint of {{application_name_s}} '
queryFrequency: 5m
status: Available
query: |
  ContrastADR_CL
  | where result_s =~ "exploited" and environment_s =~ "production"  
tactics:
- InitialAccess
- Execution
- DefenseEvasion
- LateralMovement
- CommandAndControl
kind: Scheduled
description: |
    'Detects successful exploitation of security vulnerabilities in production environments as identified by Contrast ADR. This rule triggers on confirmed exploited attacks in production systems, requiring immediate incident response and remediation.'
triggerOperator: gt