Contrast ADR - Exploited Attack in Production

ContrastADR_CL
| where result_s =~ "exploited" and environment_s =~ "production"

query: |
  ContrastADR_CL
  | where result_s =~ "exploited" and environment_s =~ "production"  
version: 1.0.0
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event_in_Production.yaml
status: Available
description: |
    'Detects successful exploitation of security vulnerabilities in production environments as identified by Contrast ADR. This rule triggers on confirmed exploited attacks in production systems, requiring immediate incident response and remediation.'
alertDetailsOverride:
  alertDisplayNameFormat: '{{result_s}} {{rule_s}} from {{SourceIP}} in Production'
  alertDescriptionFormat: '{{result_s}}  on {{request_headers_referer_s}}  endpoint of {{application_name_s}} '
queryFrequency: 5m
name: Contrast ADR - Exploited Attack in Production
kind: Scheduled
triggerThreshold: 0
id: 31417149-f3a2-4db4-9e5f-85e0a464f6a1
requiredDataConnectors:
- connectorId: ContrastADR
  dataTypes:
  - ContrastADR_CL
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: Selected
    lookbackDuration: PT30M
    enabled: true
    groupByEntities:
    - IP
    - Host
severity: High
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryPeriod: 5m
entityMappings:
- fieldMappings:
  - columnName: SourceIP
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: host_hostname_s
    identifier: HostName
  entityType: Host
relevantTechniques:
- T1190
- T1059
- T1055
- T1210
- T1008
tactics:
- InitialAccess
- Execution
- DefenseEvasion
- LateralMovement
- CommandAndControl