Contrast ADR - Exploited Attack in Production

ContrastADR_CL
| where result_s =~ "exploited" and environment_s =~ "production"

relevantTechniques:
- T1190
- T1059
- T1055
- T1210
- T1008
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: PT30M
    matchingMethod: Selected
    reopenClosedIncident: false
    groupByEntities:
    - IP
    - Host
    enabled: true
  createIncident: true
eventGroupingSettings:
  aggregationKind: AlertPerResult
query: |
  ContrastADR_CL
  | where result_s =~ "exploited" and environment_s =~ "production"  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event_in_Production.yaml
description: |
    'Detects successful exploitation of security vulnerabilities in production environments as identified by Contrast ADR. This rule triggers on confirmed exploited attacks in production systems, requiring immediate incident response and remediation.'
requiredDataConnectors:
- connectorId: ContrastADR
  dataTypes:
  - ContrastADR_CL
triggerOperator: gt
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SourceIP
    identifier: Address
- entityType: Host
  fieldMappings:
  - columnName: host_hostname_s
    identifier: HostName
name: Contrast ADR - Exploited Attack in Production
queryPeriod: 5m
triggerThreshold: 0
id: 31417149-f3a2-4db4-9e5f-85e0a464f6a1
status: Available
kind: Scheduled
severity: High
queryFrequency: 5m
tactics:
- InitialAccess
- Execution
- DefenseEvasion
- LateralMovement
- CommandAndControl
version: 1.0.0
alertDetailsOverride:
  alertDisplayNameFormat: '{{result_s}} {{rule_s}} from {{SourceIP}} in Production'
  alertDescriptionFormat: '{{result_s}}  on {{request_headers_referer_s}}  endpoint of {{application_name_s}} '