Contrast ADR - Exploited Attack in Production

ContrastADR_CL
| where result_s =~ "exploited" and environment_s =~ "production"

name: Contrast ADR - Exploited Attack in Production
kind: Scheduled
tactics:
- InitialAccess
- Execution
- DefenseEvasion
- LateralMovement
- CommandAndControl
triggerThreshold: 0
triggerOperator: gt
version: 1.0.0
status: Available
alertDetailsOverride:
  alertDisplayNameFormat: '{{result_s}} {{rule_s}} from {{SourceIP}} in Production'
  alertDescriptionFormat: '{{result_s}}  on {{request_headers_referer_s}}  endpoint of {{application_name_s}} '
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    enabled: true
    matchingMethod: Selected
    groupByEntities:
    - IP
    - Host
    lookbackDuration: PT30M
queryFrequency: 5m
id: 31417149-f3a2-4db4-9e5f-85e0a464f6a1
requiredDataConnectors:
- connectorId: ContrastADR
  dataTypes:
  - ContrastADR_CL
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1190
- T1059
- T1055
- T1210
- T1008
description: |
    'Detects successful exploitation of security vulnerabilities in production environments as identified by Contrast ADR. This rule triggers on confirmed exploited attacks in production systems, requiring immediate incident response and remediation.'
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SourceIP
    identifier: Address
- entityType: Host
  fieldMappings:
  - columnName: host_hostname_s
    identifier: HostName
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event_in_Production.yaml
queryPeriod: 5m
severity: High
query: |
  ContrastADR_CL
  | where result_s =~ "exploited" and environment_s =~ "production"