Contrast ADR - Exploited Attack in Production

ContrastADR_CL
| where result_s =~ "exploited" and environment_s =~ "production"

severity: High
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryPeriod: 5m
name: Contrast ADR - Exploited Attack in Production
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event_in_Production.yaml
entityMappings:
- fieldMappings:
  - columnName: SourceIP
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: host_hostname_s
    identifier: HostName
  entityType: Host
alertDetailsOverride:
  alertDescriptionFormat: '{{result_s}}  on {{request_headers_referer_s}}  endpoint of {{application_name_s}} '
  alertDisplayNameFormat: '{{result_s}} {{rule_s}} from {{SourceIP}} in Production'
version: 1.0.0
relevantTechniques:
- T1190
- T1059
- T1055
- T1210
- T1008
status: Available
id: 31417149-f3a2-4db4-9e5f-85e0a464f6a1
queryFrequency: 5m
triggerThreshold: 0
triggerOperator: gt
incidentConfiguration:
  groupingConfiguration:
    groupByEntities:
    - IP
    - Host
    lookbackDuration: PT30M
    enabled: true
    matchingMethod: Selected
    reopenClosedIncident: false
  createIncident: true
query: |
  ContrastADR_CL
  | where result_s =~ "exploited" and environment_s =~ "production"  
description: |
    'Detects successful exploitation of security vulnerabilities in production environments as identified by Contrast ADR. This rule triggers on confirmed exploited attacks in production systems, requiring immediate incident response and remediation.'
requiredDataConnectors:
- connectorId: ContrastADR
  dataTypes:
  - ContrastADR_CL
tactics:
- InitialAccess
- Execution
- DefenseEvasion
- LateralMovement
- CommandAndControl
kind: Scheduled