Contrast ADR - Exploited Attack Event

ContrastADR_CL
| where result_s =~ "exploited"

query: |
  ContrastADR_CL
  | where result_s =~ "exploited"  
version: 1.0.0
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event.yaml
status: Available
description: |
    'Detects successful exploitation of security vulnerabilities across all environments as identified by Contrast ADR. This rule captures confirmed exploited attacks that bypassed application security controls and require security team investigation.'
alertDetailsOverride:
  alertDisplayNameFormat: '{{result_s}} {{rule_s}} from {{SourceIP}} '
  alertDescriptionFormat: '{{result_s}}  on {{request_headers_referer_s}}  endpoint of {{application_name_s}} '
customDetails:
  AttackResult: result_s
  ApplicationName: application_name_s
  Environment: environment_s
  AttackedEndpoint: request_headers_referer_s
  TargetHost: host_hostname_s
  AttackRule: rule_s
queryFrequency: 5m
name: Contrast ADR - Exploited Attack Event
kind: Scheduled
triggerThreshold: 0
id: ae4f67a6-0713-4a26-ae61-284e67b408c1
requiredDataConnectors:
- connectorId: ContrastADR
  dataTypes:
  - ContrastADR_CL
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: Selected
    lookbackDuration: PT1H
    enabled: true
    groupByEntities:
    - IP
    - Host
severity: High
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryPeriod: 5m
entityMappings:
- fieldMappings:
  - columnName: SourceIP
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: host_hostname_s
    identifier: HostName
  entityType: Host
relevantTechniques:
- T1190
- T1059
- T1055
- T1210
- T1008
tactics:
- InitialAccess
- Execution
- DefenseEvasion
- LateralMovement
- CommandAndControl