diff --git a/contrast_security_adr/assets/dashboards/contrast_security_adr.json b/contrast_security_adr/assets/dashboards/contrast_security_adr.json index 99a7dd3c6..757cc05cb 100644 --- a/contrast_security_adr/assets/dashboards/contrast_security_adr.json +++ b/contrast_security_adr/assets/dashboards/contrast_security_adr.json @@ -286,7 +286,7 @@ ], "response_format": "scalar", "sort": { - "count": 100, + "count": 10, "order_by": [ { "type": "formula", diff --git a/contrast_security_adr/assets/logs/contrast-security-adr.yaml b/contrast_security_adr/assets/logs/contrast-security-adr.yaml index 54c85b403..4c72f040f 100644 --- a/contrast_security_adr/assets/logs/contrast-security-adr.yaml +++ b/contrast_security_adr/assets/logs/contrast-security-adr.yaml @@ -1,5 +1,9 @@ id: contrast-security-adr +# See app_id in your integration's manifest.json file to learn more: +# https://docs.datadoghq.com/developers/integrations/check_references/#manifest-file metric_id: contrast-security-adr +# If for some reason id must be different than app_id, add the app_id in this field instead. +# If id and app_id already match, this field can be left blank. backend_only: false facets: - groups: @@ -42,6 +46,11 @@ facets: name: Event Name path: evt.name source: log + - groups: + - Web Access + name: OS + path: http.useragent_details.os.family + source: log - description: "" facetType: list groups: @@ -276,6 +285,16 @@ pipeline: targetType: attribute preserveSource: true overrideOnConflict: false + - type: attribute-remapper + name: Map `host.operatingSystem` to `http.useragent_details.os.family` + enabled: true + sources: + - host.operatingSystem + sourceType: attribute + target: http.useragent_details.os.family + targetType: attribute + preserveSource: true + overrideOnConflict: false - type: status-remapper name: " Map `severity` to `status`" enabled: true diff --git a/contrast_security_adr/assets/logs/contrast-security-adr_tests.yaml b/contrast_security_adr/assets/logs/contrast-security-adr_tests.yaml index 689b9a262..5cd6a71c5 100644 --- a/contrast_security_adr/assets/logs/contrast-security-adr_tests.yaml +++ b/contrast_security_adr/assets/logs/contrast-security-adr_tests.yaml @@ -1,9 +1,356 @@ -id: contrast-security-adr +id: "contrast-security-adr" tests: - - sample: |- + - + sample: |- + { + "severity" : "critical", + "detectedTime" : "1764161753000", + "server" : { + "name" : "Petclinic-thib", + "id" : "27958" + }, + "request" : { + "headers" : { + "Cookie" : [ "JSESSIONID=EB2C548D2789AEFB92E843E958D2410E" ], + "sec-fetch-mode" : [ "navigate" ], + "referer" : [ "http://localhost:8080/customers/find" ], + "sec-fetch-site" : [ "same-origin" ], + "accept-language" : [ "en-GB,en-US;q=0.9,en;q=0.8" ], + "sec-fetch-user" : [ "?1" ], + "accept" : [ "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" ], + "sec-ch-ua" : [ "\"Chromium\";v=\"136\", \"Google Chrome\";v=\"136\", \"Not.A/Brand\";v=\"99\"" ], + "sec-ch-ua-mobile" : [ "?0" ], + "sec-ch-ua-platform" : [ "\"macOS\"" ], + "host" : [ "localhost:8080" ], + "upgrade-insecure-requests" : [ "1" ], + "connection" : [ "keep-alive" ], + "accept-encoding" : [ "gzip, deflate, br, zstd" ], + "sec-fetch-dest" : [ "document" ], + "user-agent" : [ "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36" ] + }, + "protocol" : "http", + "method" : "GET", + "protocolVersion" : "1.1", + "queryString" : "lastName=contrast-redacted-name", + "parameters" : { + "lastName" : [ "contrast-redacted-name" ] + } + }, + "vectorAnalysis" : { + "vectorFields" : { + "ruleUuid" : "sql-injection", + "query" : "SELECT DISTINCT * FROM customers WHERE customers.last_name LIKE '%' or 1=1; # antwerp%'" + }, + "callLocation" : "org.springframework.samples.petclinic.customer.CustomerRepository.findByLastName(CustomerRepository.java:31)" + }, + "attackPayload" : { + "attackerInput" : { + "confirmedAttack" : false, + "documentType" : "NORMAL", + "effectiveAttack" : false, + "name" : "lastName", + "applicableAttack" : false, + "inputType" : "PARAMETER_VALUE", + "patternsMatched" : [ "PIDS-SQLI-42A,PIDS-SQLI-44C,TRUING_STRING_INJ,PIDS-SQLI-4001" ], + "documentPath" : "/abc" + }, + "value" : "' or 1=1; # antwerp", + "url" : "/owner" + }, + "rule" : "sql-injection", + "eventUuid" : "1678918a-103f-4030-a416-3b8766e47e19", + "productName" : "ContrastADR", + "url" : "/customers", + "result" : "BLOCKED", + "environment" : "production", + "organizationUuid" : "203ae021-7e10-4356-ad6e-0c4b94d8511e", + "incident_id" : "INC-2025-c51", + "apiUri" : "/api/v4/organizations/203ae021-7e10-4356-ad6e-0c4b94d8511e/applications/08f46d44-b7da-4978-b903-fcce249f457a/attack-events/1678918a-103f-4030-a416-3b8766e47e19", + "mitreTactics" : [ { + "id" : "TA0001", + "url" : "https://attack.mitre.org/tactics/TA0001/" + }, { + "id" : "TA0002", + "url" : "https://attack.mitre.org/tactics/TA0002/" + }, { + "id" : "TA0006", + "url" : "https://attack.mitre.org/tactics/TA0006/" + }, { + "id" : "TA0007", + "url" : "https://attack.mitre.org/tactics/TA0007/" + }, { + "id" : "TA0009", + "url" : "https://attack.mitre.org/tactics/TA0009/" + }, { + "id" : "TA0010", + "url" : "https://attack.mitre.org/tactics/TA0010/" + } ], + "application" : { + "name" : "Web-Application-thib", + "agentLanguage" : "java", + "id" : "08f46d44-b7da-4978-b903-fcce249f457a" + }, + "sourceIp" : "7.7.7.7.7.10", + "codeLocation" : { + "stack" : [ { + "fileName" : "SecurityContextHolderAwareRequestFilter.java", + "shortSummary" : "doFilter() @ SecurityContextHolderAwareRequestFilter.java:179", + "description" : "org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:179)", + "methodName" : "doFilter", + "className" : "org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter", + "type" : "frameCommon", + "lineNumber" : 179 + }, { + "fileName" : "ObservationFilterChainDecorator.java", + "shortSummary" : "wrapFilter() @ ObservationFilterChainDecorator.java:240", + "description" : "org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)", + "methodName" : "wrapFilter", + "className" : "org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter", + "type" : "frameCommon", + "lineNumber" : 240 + }, { + "fileName" : "ObservationFilterChainDecorator.java", + "shortSummary" : "doFilter() @ ObservationFilterChainDecorator.java:227", + "description" : "org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)", + "methodName" : "doFilter", + "className" : "org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter", + "type" : "frameCommon", + "lineNumber" : 227 + }, { + "fileName" : "ObservationFilterChainDecorator.java", + "shortSummary" : "doFilter() @ ObservationFilterChainDecorator.java:137", + "description" : "org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)", + "methodName" : "doFilter", + "className" : "org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain", + "type" : "frameCommon", + "lineNumber" : 137 + } ], + "file" : "HikariProxyStatement.java", + "method" : "executeQuery()" + }, + "ruleUuid" : "ssjs-injection", + "cloudProvider" : "UNKNOWN", + "host" : { + "runtimeVersion" : "OpenJDK Runtime Environment 17.0.14+7", + "hostname" : "bb8989bc", + "runtimePath" : "/opt/java/openjdk/bin/java", + "isDocker" : true, + "operatingSystem" : "Linux 6.10.14-linuxkit aarch64" + }, + "agentVersion" : "6.14.0", + "uiUrl" : "https://teamserver-scantest.contsec.com/Contrast/static/ng/index.html#/203ae021-7e10-4356-ad6e-0c4b94d8511e/attack-events/1678918a-103f-4030-a416-3b8766e47e19?groupBy=&dateRange-type=CUSTOM_DATE_RANGE&dateRange-startDate=1747217573585&dateRange-endDate=1747217693585&applicationId=08f46d44-b7da-4978-b903-fcce249f457a" + } + result: + custom: + agentVersion: "6.14.0" + apiUri: "/api/v4/organizations/203ae021-7e10-4356-ad6e-0c4b94d8511e/applications/08f46d44-b7da-4978-b903-fcce249f457a/attack-events/1678918a-103f-4030-a416-3b8766e47e19" + application: + agentLanguage: "java" + id: "08f46d44-b7da-4978-b903-fcce249f457a" + name: "Web-Application-thib" + attackPayload: + attackerInput: + applicableAttack: false + confirmedAttack: false + documentPath: "/abc" + documentType: "NORMAL" + effectiveAttack: false + inputType: "PARAMETER_VALUE" + name: "lastName" + patternsMatched: + - "PIDS-SQLI-42A,PIDS-SQLI-44C,TRUING_STRING_INJ,PIDS-SQLI-4001" + url: "/owner" + value: "' or 1=1; # antwerp" + cloudProvider: "UNKNOWN" + codeLocation: + file: "HikariProxyStatement.java" + method: "executeQuery()" + stack: + - + fileName: "SecurityContextHolderAwareRequestFilter.java" + shortSummary: "doFilter() @ SecurityContextHolderAwareRequestFilter.java:179" + description: "org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:179)" + methodName: "doFilter" + className: "org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter" + type: "frameCommon" + lineNumber: 179 + - + fileName: "ObservationFilterChainDecorator.java" + shortSummary: "wrapFilter() @ ObservationFilterChainDecorator.java:240" + description: "org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)" + methodName: "wrapFilter" + className: "org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter" + type: "frameCommon" + lineNumber: 240 + - + fileName: "ObservationFilterChainDecorator.java" + shortSummary: "doFilter() @ ObservationFilterChainDecorator.java:227" + description: "org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)" + methodName: "doFilter" + className: "org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter" + type: "frameCommon" + lineNumber: 227 + - + fileName: "ObservationFilterChainDecorator.java" + shortSummary: "doFilter() @ ObservationFilterChainDecorator.java:137" + description: "org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)" + methodName: "doFilter" + className: "org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain" + type: "frameCommon" + lineNumber: 137 + contrast_adr: + incident_id: "INC-2025-c51" + date: "1764161753000" + detectedTime: "1764161753000" + environment: "production" + eventUuid: "1678918a-103f-4030-a416-3b8766e47e19" + evt: + name: "sql-injection" + outcome: "BLOCKED" + host: + hostname: "bb8989bc" + isDocker: true + operatingSystem: "Linux 6.10.14-linuxkit aarch64" + runtimePath: "/opt/java/openjdk/bin/java" + runtimeVersion: "OpenJDK Runtime Environment 17.0.14+7" + http: + method: "GET" + referer: + - "http://localhost:8080/customers/find" + request: + headers: + Cookie: + - "JSESSIONID=EB2C548D2789AEFB92E843E958D2410E" + accept: + - "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" + accept-encoding: + - "gzip, deflate, br, zstd" + accept-language: + - "en-GB,en-US;q=0.9,en;q=0.8" + connection: + - "keep-alive" + host: + - "localhost:8080" + referer: + - "http://localhost:8080/customers/find" + sec-ch-ua: + - "\"Chromium\";v=\"136\", \"Google Chrome\";v=\"136\", \"Not.A/Brand\";v=\"99\"" + sec-ch-ua-mobile: + - "?0" + sec-ch-ua-platform: + - "\"macOS\"" + sec-fetch-dest: + - "document" + sec-fetch-mode: + - "navigate" + sec-fetch-site: + - "same-origin" + sec-fetch-user: + - "?1" + upgrade-insecure-requests: + - "1" + user-agent: + - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36" + url_details: + host: + - "localhost:8080" + path: + path: "/api/v4/organizations/203ae021-7e10-4356-ad6e-0c4b94d8511e/applications/08f46d44-b7da-4978-b903-fcce249f457a/attack-events/1678918a-103f-4030-a416-3b8766e47e19" + queryString: "lastName=contrast-redacted-name" + scheme: "http" + user-agent: + - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36" + useragent_details: + os: + family: "Linux 6.10.14-linuxkit aarch64" + version: "1.1" + incident_id: "INC-2025-c51" + mitreTactics: + - + id: "TA0001" + url: "https://attack.mitre.org/tactics/TA0001/" + - + id: "TA0002" + url: "https://attack.mitre.org/tactics/TA0002/" + - + id: "TA0006" + url: "https://attack.mitre.org/tactics/TA0006/" + - + id: "TA0007" + url: "https://attack.mitre.org/tactics/TA0007/" + - + id: "TA0009" + url: "https://attack.mitre.org/tactics/TA0009/" + - + id: "TA0010" + url: "https://attack.mitre.org/tactics/TA0010/" + network: + host: + ip: "7.7.7.7.7.10" + name: "bb8989bc" + organizationUuid: "203ae021-7e10-4356-ad6e-0c4b94d8511e" + productName: "ContrastADR" + request: + headers: + Cookie: + - "JSESSIONID=EB2C548D2789AEFB92E843E958D2410E" + accept: + - "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" + accept-encoding: + - "gzip, deflate, br, zstd" + accept-language: + - "en-GB,en-US;q=0.9,en;q=0.8" + connection: + - "keep-alive" + host: + - "localhost:8080" + referer: + - "http://localhost:8080/customers/find" + sec-ch-ua: + - "\"Chromium\";v=\"136\", \"Google Chrome\";v=\"136\", \"Not.A/Brand\";v=\"99\"" + sec-ch-ua-mobile: + - "?0" + sec-ch-ua-platform: + - "\"macOS\"" + sec-fetch-dest: + - "document" + sec-fetch-mode: + - "navigate" + sec-fetch-site: + - "same-origin" + sec-fetch-user: + - "?1" + upgrade-insecure-requests: + - "1" + user-agent: + - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36" + method: "GET" + parameters: + lastName: + - "contrast-redacted-name" + protocol: "http" + protocolVersion: "1.1" + queryString: "lastName=contrast-redacted-name" + result: "BLOCKED" + rule: "sql-injection" + ruleUuid: "ssjs-injection" + server: + id: "27958" + name: "Petclinic-thib" + severity: "critical" + sourceIp: "7.7.7.7.7.10" + uiUrl: "https://teamserver-scantest.contsec.com/Contrast/static/ng/index.html#/203ae021-7e10-4356-ad6e-0c4b94d8511e/attack-events/1678918a-103f-4030-a416-3b8766e47e19?groupBy=&dateRange-type=CUSTOM_DATE_RANGE&dateRange-startDate=1747217573585&dateRange-endDate=1747217693585&applicationId=08f46d44-b7da-4978-b903-fcce249f457a" + url: "/customers" + vectorAnalysis: + callLocation: "org.springframework.samples.petclinic.customer.CustomerRepository.findByLastName(CustomerRepository.java:31)" + vectorFields: + query: "SELECT DISTINCT * FROM customers WHERE customers.last_name LIKE '%' or 1=1; # antwerp%'" + ruleUuid: "sql-injection" + version: "6.14.0" + message: |- { "severity" : "critical", - "detectedTime" : "1760339848000", + "detectedTime" : "1764161753000", "server" : { "name" : "Petclinic-thib", "id" : "27958" @@ -60,7 +407,7 @@ tests: "eventUuid" : "1678918a-103f-4030-a416-3b8766e47e19", "productName" : "ContrastADR", "url" : "/customers", - "result" : "exploited", + "result" : "BLOCKED", "environment" : "production", "organizationUuid" : "203ae021-7e10-4356-ad6e-0c4b94d8511e", "incident_id" : "INC-2025-c51", @@ -71,15 +418,6 @@ tests: }, { "id" : "TA0002", "url" : "https://attack.mitre.org/tactics/TA0002/" - }, { - "id" : "TA0003", - "url" : "https://attack.mitre.org/tactics/TA0003/" - }, { - "id" : "TA0004", - "url" : "https://attack.mitre.org/tactics/TA0004/" - }, { - "id" : "TA0005", - "url" : "https://attack.mitre.org/tactics/TA0005/" }, { "id" : "TA0006", "url" : "https://attack.mitre.org/tactics/TA0006/" @@ -98,16 +436,16 @@ tests: "agentLanguage" : "java", "id" : "08f46d44-b7da-4978-b903-fcce249f457a" }, - "sourceIp" : "7.7.7.7.7.8", + "sourceIp" : "7.7.7.7.7.10", "codeLocation" : { "stack" : [ { - "fileName" : "HikariProxyStatement.java", - "shortSummary" : "executeQuery() @ HikariProxyStatement.java:-1", - "description" : "com.zaxxer.hikari.pool.HikariProxyStatement.executeQuery(HikariProxyStatement.java:-1)", - "methodName" : "executeQuery", - "className" : "com.zaxxer.hikari.pool.HikariProxyStatement", - "type" : "frameSink", - "lineNumber" : -1 + "fileName" : "SecurityContextHolderAwareRequestFilter.java", + "shortSummary" : "doFilter() @ SecurityContextHolderAwareRequestFilter.java:179", + "description" : "org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:179)", + "methodName" : "doFilter", + "className" : "org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter", + "type" : "frameCommon", + "lineNumber" : 179 }, { "fileName" : "ObservationFilterChainDecorator.java", "shortSummary" : "wrapFilter() @ ObservationFilterChainDecorator.java:240", @@ -124,6 +462,14 @@ tests: "className" : "org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter", "type" : "frameCommon", "lineNumber" : 227 + }, { + "fileName" : "ObservationFilterChainDecorator.java", + "shortSummary" : "doFilter() @ ObservationFilterChainDecorator.java:137", + "description" : "org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)", + "methodName" : "doFilter", + "className" : "org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain", + "type" : "frameCommon", + "lineNumber" : 137 } ], "file" : "HikariProxyStatement.java", "method" : "executeQuery()" @@ -140,413 +486,7 @@ tests: "agentVersion" : "6.14.0", "uiUrl" : "https://teamserver-scantest.contsec.com/Contrast/static/ng/index.html#/203ae021-7e10-4356-ad6e-0c4b94d8511e/attack-events/1678918a-103f-4030-a416-3b8766e47e19?groupBy=&dateRange-type=CUSTOM_DATE_RANGE&dateRange-startDate=1747217573585&dateRange-endDate=1747217693585&applicationId=08f46d44-b7da-4978-b903-fcce249f457a" } - result: - custom: - agentVersion: "6.14.0" - apiUri: "/api/v4/organizations/203ae021-7e10-4356-ad6e-0c4b94d8511e/applications/08f46d44-b7da-4978-b903-fcce249f457a/attack-events/1678918a-103f-4030-a416-3b8766e47e19" - application: - agentLanguage: "java" - id: "08f46d44-b7da-4978-b903-fcce249f457a" - name: "Web-Application-thib" - attackPayload: - attackerInput: - applicableAttack: false - confirmedAttack: false - documentPath: "/abc" - documentType: "NORMAL" - effectiveAttack: false - inputType: "PARAMETER_VALUE" - name: "lastName" - patternsMatched: - - "PIDS-SQLI-42A,PIDS-SQLI-44C,TRUING_STRING_INJ,PIDS-SQLI-4001" - url: "/owner" - value: "' or 1=1; # antwerp" - cloudProvider: "UNKNOWN" - codeLocation: - file: "HikariProxyStatement.java" - method: "executeQuery()" - stack: - - fileName: "HikariProxyStatement.java" - shortSummary: "executeQuery() @ HikariProxyStatement.java:-1" - description: "com.zaxxer.hikari.pool.HikariProxyStatement.executeQuery(HikariProxyStatement.java:-1)" - methodName: "executeQuery" - className: "com.zaxxer.hikari.pool.HikariProxyStatement" - type: "frameSink" - lineNumber: -1 - - fileName: "ObservationFilterChainDecorator.java" - shortSummary: "wrapFilter() @ ObservationFilterChainDecorator.java:240" - description: "org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)" - methodName: "wrapFilter" - className: "org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter" - type: "frameCommon" - lineNumber: 240 - - fileName: "ObservationFilterChainDecorator.java" - shortSummary: "doFilter() @ ObservationFilterChainDecorator.java:227" - description: "org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)" - methodName: "doFilter" - className: "org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter" - type: "frameCommon" - lineNumber: 227 - contrast_adr: - incident_id: "INC-2025-c51" - date: "1760339848000" - detectedTime: "1760339848000" - environment: "production" - eventUuid: "1678918a-103f-4030-a416-3b8766e47e19" - evt: - name: "sql-injection" - outcome: "exploited" - host: - hostname: "bb8989bc" - isDocker: true - operatingSystem: "Linux 6.10.14-linuxkit aarch64" - runtimePath: "/opt/java/openjdk/bin/java" - runtimeVersion: "OpenJDK Runtime Environment 17.0.14+7" - http: - method: "GET" - referer: - - "http://localhost:8080/customers/find" - request: - headers: - Cookie: - - "JSESSIONID=EB2C548D2789AEFB92E843E958D2410E" - accept: - - "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" - accept-encoding: - - "gzip, deflate, br, zstd" - accept-language: - - "en-GB,en-US;q=0.9,en;q=0.8" - connection: - - "keep-alive" - host: - - "localhost:8080" - referer: - - "http://localhost:8080/customers/find" - sec-ch-ua: - - '"Chromium";v="136", "Google Chrome";v="136", "Not.A/Brand";v="99"' - sec-ch-ua-mobile: - - "?0" - sec-ch-ua-platform: - - '"macOS"' - sec-fetch-dest: - - "document" - sec-fetch-mode: - - "navigate" - sec-fetch-site: - - "same-origin" - sec-fetch-user: - - "?1" - upgrade-insecure-requests: - - "1" - user-agent: - - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36" - url_details: - host: - - "localhost:8080" - path: - path: "/api/v4/organizations/203ae021-7e10-4356-ad6e-0c4b94d8511e/applications/08f46d44-b7da-4978-b903-fcce249f457a/attack-events/1678918a-103f-4030-a416-3b8766e47e19" - queryString: "lastName=contrast-redacted-name" - scheme: "http" - user-agent: - - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36" - version: "1.1" - incident_id: "INC-2025-c51" - mitreTactics: - - id: "TA0001" - url: "https://attack.mitre.org/tactics/TA0001/" - - id: "TA0002" - url: "https://attack.mitre.org/tactics/TA0002/" - - id: "TA0003" - url: "https://attack.mitre.org/tactics/TA0003/" - - id: "TA0004" - url: "https://attack.mitre.org/tactics/TA0004/" - - id: "TA0005" - url: "https://attack.mitre.org/tactics/TA0005/" - - id: "TA0006" - url: "https://attack.mitre.org/tactics/TA0006/" - - id: "TA0007" - url: "https://attack.mitre.org/tactics/TA0007/" - - id: "TA0009" - url: "https://attack.mitre.org/tactics/TA0009/" - - id: "TA0010" - url: "https://attack.mitre.org/tactics/TA0010/" - network: - host: - ip: "7.7.7.7.7.8" - name: "bb8989bc" - organizationUuid: "203ae021-7e10-4356-ad6e-0c4b94d8511e" - productName: "ContrastADR" - request: - headers: - Cookie: - - "JSESSIONID=EB2C548D2789AEFB92E843E958D2410E" - accept: - - "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" - accept-encoding: - - "gzip, deflate, br, zstd" - accept-language: - - "en-GB,en-US;q=0.9,en;q=0.8" - connection: - - "keep-alive" - host: - - "localhost:8080" - referer: - - "http://localhost:8080/customers/find" - sec-ch-ua: - - '"Chromium";v="136", "Google Chrome";v="136", "Not.A/Brand";v="99"' - sec-ch-ua-mobile: - - "?0" - sec-ch-ua-platform: - - '"macOS"' - sec-fetch-dest: - - "document" - sec-fetch-mode: - - "navigate" - sec-fetch-site: - - "same-origin" - sec-fetch-user: - - "?1" - upgrade-insecure-requests: - - "1" - user-agent: - - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36" - method: "GET" - parameters: - lastName: - - "contrast-redacted-name" - protocol: "http" - protocolVersion: "1.1" - queryString: "lastName=contrast-redacted-name" - result: "exploited" - rule: "sql-injection" - ruleUuid: "ssjs-injection" - server: - id: "27958" - name: "Petclinic-thib" - severity: "critical" - sourceIp: "7.7.7.7.7.8" - uiUrl: "https://teamserver-scantest.contsec.com/Contrast/static/ng/index.html#/203ae021-7e10-4356-ad6e-0c4b94d8511e/attack-events/1678918a-103f-4030-a416-3b8766e47e19?groupBy=&dateRange-type=CUSTOM_DATE_RANGE&dateRange-startDate=1747217573585&dateRange-endDate=1747217693585&applicationId=08f46d44-b7da-4978-b903-fcce249f457a" - url: "/customers" - vectorAnalysis: - callLocation: "org.springframework.samples.petclinic.customer.CustomerRepository.findByLastName(CustomerRepository.java:31)" - vectorFields: - query: "SELECT DISTINCT * FROM customers WHERE customers.last_name LIKE '%' or 1=1; # antwerp%'" - ruleUuid: "sql-injection" - version: "6.14.0" - message: |- - { - "severity" : "critical", - "detectedTime" : "1760339848000", - "server" : { - "name" : "Petclinic-thib", - "id" : "27958" - }, - "request" : { - "headers" : { - "Cookie" : [ "JSESSIONID=EB2C548D2789AEFB92E843E958D2410E" ], - "sec-fetch-mode" : [ "navigate" ], - "referer" : [ "http://localhost:8080/customers/find" ], - "sec-fetch-site" : [ "same-origin" ], - "accept-language" : [ "en-GB,en-US;q=0.9,en;q=0.8" ], - "sec-fetch-user" : [ "?1" ], - "accept" : [ "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" ], - "sec-ch-ua" : [ "\"Chromium\";v=\"136\", \"Google Chrome\";v=\"136\", \"Not.A/Brand\";v=\"99\"" ], - "sec-ch-ua-mobile" : [ "?0" ], - "sec-ch-ua-platform" : [ "\"macOS\"" ], - "host" : [ "localhost:8080" ], - "upgrade-insecure-requests" : [ "1" ], - "connection" : [ "keep-alive" ], - "accept-encoding" : [ "gzip, deflate, br, zstd" ], - "sec-fetch-dest" : [ "document" ], - "user-agent" : [ "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36" ] - }, - "protocol" : "http", - "method" : "GET", - "protocolVersion" : "1.1", - "queryString" : "lastName=contrast-redacted-name", - "parameters" : { - "lastName" : [ "contrast-redacted-name" ] - } - }, - "vectorAnalysis" : { - "vectorFields" : { - "ruleUuid" : "sql-injection", - "query" : "SELECT DISTINCT * FROM customers WHERE customers.last_name LIKE '%' or 1=1; # antwerp%'" - }, - "callLocation" : "org.springframework.samples.petclinic.customer.CustomerRepository.findByLastName(CustomerRepository.java:31)" - }, - "attackPayload" : { - "attackerInput" : { - "confirmedAttack" : false, - "documentType" : "NORMAL", - "effectiveAttack" : false, - "name" : "lastName", - "applicableAttack" : false, - "inputType" : "PARAMETER_VALUE", - "patternsMatched" : [ "PIDS-SQLI-42A,PIDS-SQLI-44C,TRUING_STRING_INJ,PIDS-SQLI-4001" ], - "documentPath" : "/abc" - }, - "value" : "' or 1=1; # antwerp", - "url" : "/owner" - }, - "rule" : "sql-injection", - "eventUuid" : "1678918a-103f-4030-a416-3b8766e47e19", - "productName" : "ContrastADR", - "url" : "/customers", - "result" : "exploited", - "environment" : "production", - "organizationUuid" : "203ae021-7e10-4356-ad6e-0c4b94d8511e", - "incident_id" : "INC-2025-c51", - "apiUri" : "/api/v4/organizations/203ae021-7e10-4356-ad6e-0c4b94d8511e/applications/08f46d44-b7da-4978-b903-fcce249f457a/attack-events/1678918a-103f-4030-a416-3b8766e47e19", - "mitreTactics" : [ { - "id" : "TA0001", - "url" : "https://attack.mitre.org/tactics/TA0001/" - }, { - "id" : "TA0002", - "url" : "https://attack.mitre.org/tactics/TA0002/" - }, { - "id" : "TA0003", - "url" : "https://attack.mitre.org/tactics/TA0003/" - }, { - "id" : "TA0004", - "url" : "https://attack.mitre.org/tactics/TA0004/" - }, { - "id" : "TA0005", - "url" : "https://attack.mitre.org/tactics/TA0005/" - }, { - "id" : "TA0006", - "url" : "https://attack.mitre.org/tactics/TA0006/" - }, { - "id" : "TA0007", - "url" : "https://attack.mitre.org/tactics/TA0007/" - }, { - "id" : "TA0009", - "url" : "https://attack.mitre.org/tactics/TA0009/" - }, { - "id" : "TA0010", - "url" : "https://attack.mitre.org/tactics/TA0010/" - } ], - "application" : { - "name" : "Web-Application-thib", - "agentLanguage" : "java", - "id" : "08f46d44-b7da-4978-b903-fcce249f457a" - }, - "sourceIp" : "7.7.7.7.7.8", - "codeLocation" : { - "stack" : [ { - "fileName" : "HikariProxyStatement.java", - "shortSummary" : "executeQuery() @ HikariProxyStatement.java:-1", - "description" : "com.zaxxer.hikari.pool.HikariProxyStatement.executeQuery(HikariProxyStatement.java:-1)", - "methodName" : "executeQuery", - "className" : "com.zaxxer.hikari.pool.HikariProxyStatement", - "type" : "frameSink", - "lineNumber" : -1 - }, { - "fileName" : "ObservationFilterChainDecorator.java", - "shortSummary" : "wrapFilter() @ ObservationFilterChainDecorator.java:240", - "description" : "org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)", - "methodName" : "wrapFilter", - "className" : "org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter", - "type" : "frameCommon", - "lineNumber" : 240 - }, { - "fileName" : "ObservationFilterChainDecorator.java", - "shortSummary" : "doFilter() @ ObservationFilterChainDecorator.java:227", - "description" : "org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)", - "methodName" : "doFilter", - "className" : "org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter", - "type" : "frameCommon", - "lineNumber" : 227 - } ], - "file" : "HikariProxyStatement.java", - "method" : "executeQuery()" - }, - "ruleUuid" : "ssjs-injection", - "cloudProvider" : "UNKNOWN", - "host" : { - "runtimeVersion" : "OpenJDK Runtime Environment 17.0.14+7", - "hostname" : "bb8989bc", - "runtimePath" : "/opt/java/openjdk/bin/java", - "isDocker" : true, - "operatingSystem" : "Linux 6.10.14-linuxkit aarch64" - }, - "agentVersion" : "6.14.0", - "uiUrl" : "https://teamserver-scantest.contsec.com/Contrast/static/ng/index.html#/203ae021-7e10-4356-ad6e-0c4b94d8511e/attack-events/1678918a-103f-4030-a416-3b8766e47e19?groupBy=&dateRange-type=CUSTOM_DATE_RANGE&dateRange-startDate=1747217573585&dateRange-endDate=1747217693585&applicationId=08f46d44-b7da-4978-b903-fcce249f457a" - } - status: "critical" - tags: - - "source:LOGS_SOURCE" - timestamp: 1 - - sample: |- - { - "severity" : "Critical", - "summary" : " observed the following suspicious value accessing the application through the HTTP Request Parameter query cat /etc/passwd", - "alertType" : "incident_created", - "alertReason" : "Incident Created", - "source" : "security", - "eventType" : "incidentalert", - "recommendedRunbooks" : [ "https://dev/adr-runbooks/runbooks/path-traversal/" ], - "url" : "https://apptwo.com/cs/index.html#/0f767995-4882-4c7c-889f-994d945ff0d5/incidents/INC-2025-6", - "relatedRules" : [ "path-traversal" ], - "score" : 9.3, - "organizationUuid" : "0f767995-4882-4c7c-889f-994d945ff0d5", - "createdTime" : "2025-10-08T12:22:23.0000Z", - "recommendedActions" : [ "We did not block this attack because blocking was not enabled for DM-ADR-Web-Application in Production.", "Add an exclusion for this attack event." ], - "incidentId" : "INC-2025-c11", - "incidentName" : "Path Traversal on \"/postjsoncmd\"", - "status" : "Open", - "timestamp" : "2025-10-08T12:08:22.0000Z" - } - result: - custom: - alertReason: "Incident Created" - alertType: "incident_created" - createdTime: "2025-10-08T12:22:23.0000Z" - date: "2025-10-08T12:22:23.0000Z" - eventType: "incidentalert" - incidentId: "INC-2025-c11" - incidentName: 'Path Traversal on "/postjsoncmd"' - organizationUuid: "0f767995-4882-4c7c-889f-994d945ff0d5" - recommendedActions: - - "We did not block this attack because blocking was not enabled for DM-ADR-Web-Application in Production." - - "Add an exclusion for this attack event." - recommendedRunbooks: - - "https://dev/adr-runbooks/runbooks/path-traversal/" - relatedRules: - - "path-traversal" - resource: - type: "incidentalert" - url: "https://apptwo.com/cs/index.html#/0f767995-4882-4c7c-889f-994d945ff0d5/incidents/INC-2025-6" - score: 9.3 - severity: "Critical" - source: "security" - status: "Open" - summary: " observed the following suspicious value accessing the application through the HTTP Request Parameter query cat /etc/passwd" - syslog: - severity: 9.3 - timestamp: "2025-10-08T12:08:22.0000Z" - url: "https://apptwo.com/cs/index.html#/0f767995-4882-4c7c-889f-994d945ff0d5/incidents/INC-2025-6" - message: |- - { - "severity" : "Critical", - "summary" : " observed the following suspicious value accessing the application through the HTTP Request Parameter query cat /etc/passwd", - "alertType" : "incident_created", - "alertReason" : "Incident Created", - "source" : "security", - "eventType" : "incidentalert", - "recommendedRunbooks" : [ "https://dev/adr-runbooks/runbooks/path-traversal/" ], - "url" : "https://apptwo.com/cs/index.html#/0f767995-4882-4c7c-889f-994d945ff0d5/incidents/INC-2025-6", - "relatedRules" : [ "path-traversal" ], - "score" : 9.3, - "organizationUuid" : "0f767995-4882-4c7c-889f-994d945ff0d5", - "createdTime" : "2025-10-08T12:22:23.0000Z", - "recommendedActions" : [ "We did not block this attack because blocking was not enabled for DM-ADR-Web-Application in Production.", "Add an exclusion for this attack event." ], - "incidentId" : "INC-2025-c11", - "incidentName" : "Path Traversal on \"/postjsoncmd\"", - "status" : "Open", - "timestamp" : "2025-10-08T12:08:22.0000Z" - } - status: "critical" - tags: - - "source:LOGS_SOURCE" - timestamp: 1759926143000 + status: "critical" + tags: + - "source:LOGS_SOURCE" + timestamp: 1 diff --git a/contrast_security_adr/assets/security/confirmed_dlp_event_received_from_contrast_adr.json b/contrast_security_adr/assets/security/confirmed_dlp_event_received_from_contrast_adr.json index d8d17c9ac..b0ff78984 100644 --- a/contrast_security_adr/assets/security/confirmed_dlp_event_received_from_contrast_adr.json +++ b/contrast_security_adr/assets/security/confirmed_dlp_event_received_from_contrast_adr.json @@ -1,7 +1,7 @@ { "name": "Confirmed DLP event received from Contrast ADR", "partnerRuleId": "ext-00w-f8n", - "message": "### Summary:\nDLP Alert Confirmed {{@evt.outcome}} by Contrast ADR on {{@url}} endpoint of {{@application.name}}\n\n#### sub-query/drill-down searches:\n list of matching alerts and events from both sources for the same source ip, target ip address\n \n### Actions:\n\n View recommended actions at https://contrastsecurity.dev/adr-runbooks/runbooks/{{@rule}}\n\nView in Contrast Security ADR: {{@uiUrl}}", + "message": "### Summary:\n\nConfirmed active SQL Injection by Contrast ADR on {{@url}} endpoint of {{@application.name}}\n \n### Actions:\n\n View recommended actions at https://contrastsecurity.dev/adr-runbooks/runbooks/{{@rule}}\n\nView in Contrast Security ADR: {{@uiUrl}}", "createdAt": 1749466228666, "isDefault": false, "isPartner": false, @@ -46,15 +46,13 @@ "condition": "a > 0 && b > 0" } ], - "tags": [ - "source:contrast-security-adr" - ], + "tags": [], "hasExtendedTitle": true, "type": "log_detection", "filters": [], - "version": 10, + "version": 22, "id": "xgy-cyz-hyl", - "updatedAt": 1756385774972, + "updatedAt": 1764678410070, "blocking": false, "metadata": { "entities": [], @@ -64,13 +62,13 @@ ] }, "creationAuthorId": 26956021, - "updateAuthorId": 37357442, + "updateAuthorId": 64082222, "creator": { "handle": "pranav.kalariya@contrastsecurity.com", "name": "Pranav Kalariya" }, "updater": { - "handle": "pavan.kulkarni@contrastsecurity.com", - "name": "Pavan Kulkarni" + "handle": "harsha.nagendra@contrastsecurity.com", + "name": "Harsha Nagendra" } -} \ No newline at end of file +} diff --git a/contrast_security_adr/assets/security/confirmed_waf_alert_received_from_contrast_adr.json b/contrast_security_adr/assets/security/confirmed_waf_alert_received_from_contrast_adr.json index c69eae340..cfcbf3edc 100644 --- a/contrast_security_adr/assets/security/confirmed_waf_alert_received_from_contrast_adr.json +++ b/contrast_security_adr/assets/security/confirmed_waf_alert_received_from_contrast_adr.json @@ -1,7 +1,7 @@ { "name": "Confirmed WAF alert received from Contrast ADR", "partnerRuleId": "ext-00g-gwc", - "message": "### Summary:\nWAF Alert Confirmed {{@evt.outcome}} by Contrast ADR on {{@url}} endpoint of {{@application.name}}\n\n#### sub-query/drill-down searches:\n list of matching alerts and events from both sources for the same source ip, target ip address\n \n### Actions:\n\n View recommended actions at https://contrastsecurity.dev/adr-runbooks/runbooks/{{@rule}}\n\nView in Contrast Security ADR: {{@uiUrl}}", + "message": "### Summary:\nWAF Alert Confirmed {{@result}} by Contrast ADR on {{@url}} endpoint of {{@application.name}}\n \n### Actions:\n\n View recommended actions at https://contrastsecurity.dev/adr-runbooks/runbooks/{{@rule}}\n\nView in Contrast Security ADR: {{@uiUrl}}", "createdAt": 1747814166967, "isDefault": false, "isPartner": false, @@ -10,7 +10,7 @@ "isDeprecated": false, "queries": [ { - "query": "source:contrast-security-adr tags:attack_event @result:(EXPLOITED OR exploited OR BLOCKED OR blocked) service:ContrastADR", + "query": "source:contrast-security-adr tags:attack_event @result:((EXPLOITED OR exploited) OR (BLOCKED OR blocked)) service:ContrastADR", "groupByFields": [ "@sourceIp" ], @@ -33,7 +33,7 @@ } ], "options": { - "evaluationWindow": 900, + "evaluationWindow": 300, "detectionMethod": "threshold", "maxSignalDuration": 86400, "keepAlive": 3600 @@ -43,18 +43,16 @@ "name": "Condition 1", "status": "info", "notifications": [], - "condition": "a > 0 && b > 0" + "condition": "b > 0 && a > 0 " } ], - "tags": [ - "source:contrast-security-adr" - ], + "tags": [], "hasExtendedTitle": true, "type": "log_detection", "filters": [], - "version": 16, + "version": 37, "id": "lrk-h3m-hto", - "updatedAt": 1758182774632, + "updatedAt": 1764678406973, "blocking": false, "metadata": { "entities": [], @@ -64,13 +62,13 @@ ] }, "creationAuthorId": 22452697, - "updateAuthorId": 21357583, + "updateAuthorId": 64082222, "creator": { "handle": "pragati.gupta@contrastsecurity.com", "name": "Pragati Gupta" }, "updater": { - "handle": "thibault.barillon@contrastsecurity.com", - "name": "Thibault Barillon" + "handle": "harsha.nagendra@contrastsecurity.com", + "name": "Harsha Nagendra" } -} \ No newline at end of file +} diff --git a/contrast_security_adr/assets/security/exploited_attack_event_received_from_contrast_adr.json b/contrast_security_adr/assets/security/exploited_attack_event_received_from_contrast_adr_.json similarity index 83% rename from contrast_security_adr/assets/security/exploited_attack_event_received_from_contrast_adr.json rename to contrast_security_adr/assets/security/exploited_attack_event_received_from_contrast_adr_.json index 924975434..95689f17a 100644 --- a/contrast_security_adr/assets/security/exploited_attack_event_received_from_contrast_adr.json +++ b/contrast_security_adr/assets/security/exploited_attack_event_received_from_contrast_adr_.json @@ -1,5 +1,5 @@ { - "name": "Exploited attack event received from Contrast ADR", + "name": "Exploited attack event received from Contrast ADR ", "partnerRuleId": "ext-00r-ric", "message": "### Summary:\n{{@evt.outcome}} {{@rule}} from {{@source}} using {{@request.method}} on {{@url}} endpoint of {{@application.name}}\n\n### Actions:\n\n View recommended actions at https://contrastsecurity.dev/adr-runbooks/runbooks/{{@rule}}\n\nView in Contrast Security ADR: {{@uiUrl}}\n", "createdAt": 1747806810257, @@ -33,15 +33,13 @@ "condition": "a > 0" } ], - "tags": [ - "source:contrast-security-adr" - ], + "tags": [], "hasExtendedTitle": true, "type": "log_detection", "filters": [], - "version": 13, + "version": 21, "id": "ohm-81g-zoc", - "updatedAt": 1758182776864, + "updatedAt": 1764678413790, "blocking": false, "metadata": { "entities": [], @@ -50,13 +48,13 @@ ] }, "creationAuthorId": 22452697, - "updateAuthorId": 21357583, + "updateAuthorId": 64082222, "creator": { "handle": "pragati.gupta@contrastsecurity.com", "name": "Pragati Gupta" }, "updater": { - "handle": "thibault.barillon@contrastsecurity.com", - "name": "Thibault Barillon" + "handle": "harsha.nagendra@contrastsecurity.com", + "name": "Harsha Nagendra" } -} \ No newline at end of file +} diff --git a/contrast_security_adr/assets/security/exploited_attack_event_received_from_contrast_adr_in_production.json b/contrast_security_adr/assets/security/exploited_attack_event_received_from_contrast_adr_in_production.json index 22c1a4fd0..e5038d627 100644 --- a/contrast_security_adr/assets/security/exploited_attack_event_received_from_contrast_adr_in_production.json +++ b/contrast_security_adr/assets/security/exploited_attack_event_received_from_contrast_adr_in_production.json @@ -2,9 +2,10 @@ "name": "Exploited attack event received from Contrast ADR in production", "partnerRuleId": "ext-00s-qxr", "message": "### Summary:\n{{@evt.outcome}} {{@rule}} from {{@source}} using {{@request.method}} on {{@url}} endpoint of {{@application.name}}\n\n### Actions:\n\n View recommended actions at https://contrastsecurity.dev/adr-runbooks/runbooks/{{@rule}}\n\nView in Contrast Security ADR: {{@uiUrl}}\n", - "createdAt": 1747809240984, + "customName": "Exploited attack event received from Contrast ADR in production Partner", + "createdAt": 1756412539694, "isDefault": false, - "isPartner": false, + "isPartner": true, "isBeta": false, "isDeleted": false, "isDeprecated": false, @@ -41,24 +42,27 @@ "hasExtendedTitle": true, "type": "log_detection", "filters": [], - "version": 10, - "id": "fa5-t5j-cdb", - "updatedAt": 1758182776144, + "defaultTags": [ + "source:contrast-security-adr" + ], + "version": 11, + "id": "ext-00s-qxr", + "updatedAt": 1764680591982, "blocking": false, + "partnerIntegrationId": "contrast-security-adr", "metadata": { "entities": [], "sources": [ "contrast-security-adr" ] }, - "creationAuthorId": 22452697, - "updateAuthorId": 21357583, + "updateAuthorId": 63957669, "creator": { - "handle": "pragati.gupta@contrastsecurity.com", - "name": "Pragati Gupta" + "handle": "", + "name": "" }, "updater": { - "handle": "thibault.barillon@contrastsecurity.com", - "name": "Thibault Barillon" + "handle": "deepak.gopal@contrastsecurity.com", + "name": "Deepak Gopal" } -} \ No newline at end of file +} diff --git a/contrast_security_adr/assets/security/incident_event_received_from_contrast_adr.json b/contrast_security_adr/assets/security/incident_event_received_from_contrast_adr.json index 729deff25..cce94ac24 100644 --- a/contrast_security_adr/assets/security/incident_event_received_from_contrast_adr.json +++ b/contrast_security_adr/assets/security/incident_event_received_from_contrast_adr.json @@ -1,7 +1,7 @@ { "name": "Incident event received from Contrast ADR", "partnerRuleId": "ext-00o-ysa", - "message": "### Summary:\n### sub-query/drill-down searches:\nsource=\"Contrast\" AND organizationId = {{@organizationUuid}} AND incidentId = {{@incidentId}}\n### Actions:\nView recommended runbook at {{@recommendedRunbooks}}\nView in Contrast Security ADR: {{@url}}\n", + "message": "### Summary:\n\n{{@summary}}\n\n### Actions:\nView recommended runbook at {{@recommendedRunbooks}}\nView in Contrast Security ADR: {{@url}}\n", "createdAt": 1747811769280, "isDefault": false, "isPartner": false, @@ -22,7 +22,7 @@ } ], "options": { - "evaluationWindow": 900, + "evaluationWindow": 300, "detectionMethod": "threshold", "maxSignalDuration": 86400, "keepAlive": 3600 @@ -35,15 +35,13 @@ "condition": "a > 0" } ], - "tags": [ - "source:contrast-security-adr" - ], + "tags": [], "hasExtendedTitle": true, "type": "log_detection", "filters": [], - "version": 11, + "version": 21, "id": "2bn-ro5-p8h", - "updatedAt": 1758182775207, + "updatedAt": 1764678412990, "blocking": false, "metadata": { "entities": [], @@ -52,13 +50,13 @@ ] }, "creationAuthorId": 22452697, - "updateAuthorId": 21357583, + "updateAuthorId": 64082222, "creator": { "handle": "pragati.gupta@contrastsecurity.com", "name": "Pragati Gupta" }, "updater": { - "handle": "thibault.barillon@contrastsecurity.com", - "name": "Thibault Barillon" + "handle": "harsha.nagendra@contrastsecurity.com", + "name": "Harsha Nagendra" } -} \ No newline at end of file +} diff --git a/contrast_security_adr/manifest.json b/contrast_security_adr/manifest.json index 375d04c69..52af502dd 100644 --- a/contrast_security_adr/manifest.json +++ b/contrast_security_adr/manifest.json @@ -1,6 +1,5 @@ { "app_id": "contrast-security-adr", - "owner": "integrations-developer-platform", "app_uuid": "01967c4b-c618-7f2d-9af8-db3506afd1b5", "manifest_version": "2.0.0", "display_on_public_website": true,