Contrast ADR - Exploited Attack in Production

ContrastADR_CL
| where result_s =~ "exploited" and environment_s =~ "production"

alertDetailsOverride:
  alertDescriptionFormat: '{{result_s}}  on {{request_headers_referer_s}}  endpoint of {{application_name_s}} '
  alertDisplayNameFormat: '{{result_s}} {{rule_s}} from {{SourceIP}} in Production'
relevantTechniques:
- T1190
- T1059
- T1055
- T1210
- T1008
name: Contrast ADR - Exploited Attack in Production
queryFrequency: 5m
version: 1.0.0
incidentConfiguration:
  groupingConfiguration:
    groupByEntities:
    - IP
    - Host
    matchingMethod: Selected
    enabled: true
    lookbackDuration: PT30M
    reopenClosedIncident: false
  createIncident: true
triggerThreshold: 0
severity: High
requiredDataConnectors:
- connectorId: ContrastADR
  dataTypes:
  - ContrastADR_CL
tactics:
- InitialAccess
- Execution
- DefenseEvasion
- LateralMovement
- CommandAndControl
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event_in_Production.yaml
query: |
  ContrastADR_CL
  | where result_s =~ "exploited" and environment_s =~ "production"  
kind: Scheduled
entityMappings:
- fieldMappings:
  - columnName: SourceIP
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: host_hostname_s
    identifier: HostName
  entityType: Host
queryPeriod: 5m
triggerOperator: gt
eventGroupingSettings:
  aggregationKind: AlertPerResult
id: 31417149-f3a2-4db4-9e5f-85e0a464f6a1
status: Available
description: |
    'Detects successful exploitation of security vulnerabilities in production environments as identified by Contrast ADR. This rule triggers on confirmed exploited attacks in production systems, requiring immediate incident response and remediation.'