Contrast ADR - Exploited Attack in Production

ContrastADR_CL
| where result_s =~ "exploited" and environment_s =~ "production"

incidentConfiguration:
  groupingConfiguration:
    matchingMethod: Selected
    groupByEntities:
    - IP
    - Host
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT30M
  createIncident: true
query: |
  ContrastADR_CL
  | where result_s =~ "exploited" and environment_s =~ "production"  
name: Contrast ADR - Exploited Attack in Production
relevantTechniques:
- T1190
- T1059
- T1055
- T1210
- T1008
status: Available
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SourceIP
    identifier: Address
- entityType: Host
  fieldMappings:
  - columnName: host_hostname_s
    identifier: HostName
queryFrequency: 5m
requiredDataConnectors:
- connectorId: ContrastADR
  dataTypes:
  - ContrastADR_CL
alertDetailsOverride:
  alertDescriptionFormat: '{{result_s}}  on {{request_headers_referer_s}}  endpoint of {{application_name_s}} '
  alertDisplayNameFormat: '{{result_s}} {{rule_s}} from {{SourceIP}} in Production'
kind: Scheduled
version: 1.0.0
triggerOperator: gt
description: |
    'Detects successful exploitation of security vulnerabilities in production environments as identified by Contrast ADR. This rule triggers on confirmed exploited attacks in production systems, requiring immediate incident response and remediation.'
tactics:
- InitialAccess
- Execution
- DefenseEvasion
- LateralMovement
- CommandAndControl
queryPeriod: 5m
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event_in_Production.yaml
severity: High
eventGroupingSettings:
  aggregationKind: AlertPerResult
id: 31417149-f3a2-4db4-9e5f-85e0a464f6a1