Contrast ADR - Exploited Attack Event

ContrastADRAttackEvents_CL
| where result =~ "exploited"

relevantTechniques:
- T1190
- T1059
- T1055
- T1210
- T1008
version: 1.0.1
severity: High
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    enabled: true
    matchingMethod: Selected
    groupByEntities:
    - IP
    - Host
    lookbackDuration: PT1H
name: Contrast ADR - Exploited Attack Event
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event.yaml
customDetails:
  AttackResult: result
  ApplicationName: application_name
  TargetHost: host_hostname
  AttackedEndpoint: request_headers_referer
  AttackRule: rule
  Environment: environment
description: |
    'Detects successful exploitation of security vulnerabilities across all environments as identified by Contrast ADR. This rule captures confirmed exploited attacks that bypassed application security controls and require security team investigation.'
queryFrequency: 5m
tactics:
- InitialAccess
- Execution
- DefenseEvasion
- LateralMovement
- CommandAndControl
triggerThreshold: 0
queryPeriod: 5m
id: ae4f67a6-0713-4a26-ae61-284e67b408c1
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: sourceIp
  entityType: IP
- fieldMappings:
  - identifier: HostName
    columnName: host_hostname
  entityType: Host
requiredDataConnectors:
- connectorId: ContrastADRCCF
  dataTypes:
  - ContrastADRAttackEvents_CL
triggerOperator: gt
alertDetailsOverride:
  alertDisplayNameFormat: '{{result}} {{rule}} from {{sourceIp}} '
  alertDescriptionFormat: '{{result}}  on {{request_headers_referer}}  endpoint of {{application_name}} '
status: Available
query: |
  ContrastADRAttackEvents_CL
  | where result =~ "exploited"  
kind: Scheduled