Contrast ADR - Exploited Attack Event

ContrastADRAttackEvents_CL
| where result =~ "exploited"

relevantTechniques:
- T1190
- T1059
- T1055
- T1210
- T1008
name: Contrast ADR - Exploited Attack Event
version: 1.0.1
entityMappings:
- fieldMappings:
  - columnName: sourceIp
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: host_hostname
    identifier: HostName
  entityType: Host
triggerThreshold: 0
alertDetailsOverride:
  alertDisplayNameFormat: '{{result}} {{rule}} from {{sourceIp}} '
  alertDescriptionFormat: '{{result}}  on {{request_headers_referer}}  endpoint of {{application_name}} '
kind: Scheduled
queryFrequency: 5m
description: |
    'Detects successful exploitation of security vulnerabilities across all environments as identified by Contrast ADR. This rule captures confirmed exploited attacks that bypassed application security controls and require security team investigation.'
queryPeriod: 5m
id: ae4f67a6-0713-4a26-ae61-284e67b408c1
requiredDataConnectors:
- connectorId: ContrastADRCCF
  dataTypes:
  - ContrastADRAttackEvents_CL
tactics:
- InitialAccess
- Execution
- DefenseEvasion
- LateralMovement
- CommandAndControl
severity: High
status: Available
eventGroupingSettings:
  aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event.yaml
query: |
  ContrastADRAttackEvents_CL
  | where result =~ "exploited"  
triggerOperator: gt
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    groupByEntities:
    - IP
    - Host
    reopenClosedIncident: false
    enabled: true
    matchingMethod: Selected
    lookbackDuration: PT1H
customDetails:
  AttackedEndpoint: request_headers_referer
  TargetHost: host_hostname
  Environment: environment
  AttackResult: result
  AttackRule: rule
  ApplicationName: application_name