From 97a336e2bae9c0e7556fe948625ffa657a087faa Mon Sep 17 00:00:00 2001 From: "dd-pub-platform[bot]" <157534740+dd-pub-platform[bot]@users.noreply.github.com> Date: Thu, 27 Nov 2025 05:36:11 +0000 Subject: [PATCH 1/8] Update Contrast Security ADR integration --- .../assets/logs/contrast-security-adr.yaml | 4 + .../logs/contrast-security-adr_tests.yaml | 729 ++++++++---------- ..._dlp_event_received_from_contrast_adr.json | 6 +- ..._waf_alert_received_from_contrast_adr.json | 6 +- ...tack_event_received_from_contrast_adr.json | 6 +- ...eived_from_contrast_adr_in_production.json | 6 +- ...dent_event_received_from_contrast_adr.json | 6 +- contrast_security_adr/manifest.json | 1 - 8 files changed, 351 insertions(+), 413 deletions(-) diff --git a/contrast_security_adr/assets/logs/contrast-security-adr.yaml b/contrast_security_adr/assets/logs/contrast-security-adr.yaml index 54c85b4031..948f63b3f5 100644 --- a/contrast_security_adr/assets/logs/contrast-security-adr.yaml +++ b/contrast_security_adr/assets/logs/contrast-security-adr.yaml @@ -1,5 +1,9 @@ id: contrast-security-adr +# See app_id in your integration's manifest.json file to learn more: +# https://docs.datadoghq.com/developers/integrations/check_references/#manifest-file metric_id: contrast-security-adr +# If for some reason id must be different than app_id, add the app_id in this field instead. +# If id and app_id already match, this field can be left blank. backend_only: false facets: - groups: diff --git a/contrast_security_adr/assets/logs/contrast-security-adr_tests.yaml b/contrast_security_adr/assets/logs/contrast-security-adr_tests.yaml index 689b9a262c..05af3031f4 100644 --- a/contrast_security_adr/assets/logs/contrast-security-adr_tests.yaml +++ b/contrast_security_adr/assets/logs/contrast-security-adr_tests.yaml @@ -1,6 +1,293 @@ id: contrast-security-adr tests: - - sample: |- + - + sample: |- + { + "severity" : "critical", + "detectedTime" : "1760339848000", + "server" : { + "name" : "Petclinic-thib", + "id" : "27958" + }, + "request" : { + "headers" : { + "Cookie" : [ "JSESSIONID=EB2C548D2789AEFB92E843E958D2410E" ], + "sec-fetch-mode" : [ "navigate" ], + "referer" : [ "http://localhost:8080/customers/find" ], + "sec-fetch-site" : [ "same-origin" ], + "accept-language" : [ "en-GB,en-US;q=0.9,en;q=0.8" ], + "sec-fetch-user" : [ "?1" ], + "accept" : [ "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" ], + "sec-ch-ua" : [ "\"Chromium\";v=\"136\", \"Google Chrome\";v=\"136\", \"Not.A/Brand\";v=\"99\"" ], + "sec-ch-ua-mobile" : [ "?0" ], + "sec-ch-ua-platform" : [ "\"macOS\"" ], + "host" : [ "localhost:8080" ], + "upgrade-insecure-requests" : [ "1" ], + "connection" : [ "keep-alive" ], + "accept-encoding" : [ "gzip, deflate, br, zstd" ], + "sec-fetch-dest" : [ "document" ], + "user-agent" : [ "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36" ] + }, + "protocol" : "http", + "method" : "GET", + "protocolVersion" : "1.1", + "queryString" : "lastName=contrast-redacted-name", + "parameters" : { + "lastName" : [ "contrast-redacted-name" ] + } + }, + "vectorAnalysis" : { + "vectorFields" : { + "ruleUuid" : "sql-injection", + "query" : "SELECT DISTINCT * FROM customers WHERE customers.last_name LIKE '%' or 1=1; # antwerp%'" + }, + "callLocation" : "org.springframework.samples.petclinic.customer.CustomerRepository.findByLastName(CustomerRepository.java:31)" + }, + "attackPayload" : { + "attackerInput" : { + "confirmedAttack" : false, + "documentType" : "NORMAL", + "effectiveAttack" : false, + "name" : "lastName", + "applicableAttack" : false, + "inputType" : "PARAMETER_VALUE", + "patternsMatched" : [ "PIDS-SQLI-42A,PIDS-SQLI-44C,TRUING_STRING_INJ,PIDS-SQLI-4001" ], + "documentPath" : "/abc" + }, + "value" : "' or 1=1; # antwerp", + "url" : "/owner" + }, + "rule" : "sql-injection", + "eventUuid" : "1678918a-103f-4030-a416-3b8766e47e19", + "productName" : "ContrastADR", + "url" : "/customers", + "result" : "exploited", + "environment" : "production", + "organizationUuid" : "203ae021-7e10-4356-ad6e-0c4b94d8511e", + "incident_id" : "INC-2025-c51", + "apiUri" : "/api/v4/organizations/203ae021-7e10-4356-ad6e-0c4b94d8511e/applications/08f46d44-b7da-4978-b903-fcce249f457a/attack-events/1678918a-103f-4030-a416-3b8766e47e19", + "mitreTactics" : [ { + "id" : "TA0001", + "url" : "https://attack.mitre.org/tactics/TA0001/" + }, { + "id" : "TA0002", + "url" : "https://attack.mitre.org/tactics/TA0002/" + }, { + "id" : "TA0003", + "url" : "https://attack.mitre.org/tactics/TA0003/" + }, { + "id" : "TA0004", + "url" : "https://attack.mitre.org/tactics/TA0004/" + }, { + "id" : "TA0005", + "url" : "https://attack.mitre.org/tactics/TA0005/" + }, { + "id" : "TA0006", + "url" : "https://attack.mitre.org/tactics/TA0006/" + }, { + "id" : "TA0007", + "url" : "https://attack.mitre.org/tactics/TA0007/" + }, { + "id" : "TA0009", + "url" : "https://attack.mitre.org/tactics/TA0009/" + }, { + "id" : "TA0010", + "url" : "https://attack.mitre.org/tactics/TA0010/" + } ], + "application" : { + "name" : "Web-Application-thib", + "agentLanguage" : "java", + "id" : "08f46d44-b7da-4978-b903-fcce249f457a" + }, + "sourceIp" : "7.7.7.7.7.8", + "codeLocation" : { + "stack" : [ { + "fileName" : "HikariProxyStatement.java", + "shortSummary" : "executeQuery() @ HikariProxyStatement.java:-1", + "description" : "com.zaxxer.hikari.pool.HikariProxyStatement.executeQuery(HikariProxyStatement.java:-1)", + "methodName" : "executeQuery", + "className" : "com.zaxxer.hikari.pool.HikariProxyStatement", + "type" : "frameSink", + "lineNumber" : -1 + }, { + "fileName" : "ObservationFilterChainDecorator.java", + "shortSummary" : "wrapFilter() @ ObservationFilterChainDecorator.java:240", + "description" : "org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)", + "methodName" : "wrapFilter", + "className" : "org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter", + "type" : "frameCommon", + "lineNumber" : 240 + }, { + "fileName" : "ObservationFilterChainDecorator.java", + "shortSummary" : "doFilter() @ ObservationFilterChainDecorator.java:227", + "description" : "org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)", + "methodName" : "doFilter", + "className" : "org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter", + "type" : "frameCommon", + "lineNumber" : 227 + } ], + "file" : "HikariProxyStatement.java", + "method" : "executeQuery()" + }, + "ruleUuid" : "ssjs-injection", + "cloudProvider" : "UNKNOWN", + "host" : { + "runtimeVersion" : "OpenJDK Runtime Environment 17.0.14+7", + "hostname" : "bb8989bc", + "runtimePath" : "/opt/java/openjdk/bin/java", + "isDocker" : true, + "operatingSystem" : "Linux 6.10.14-linuxkit aarch64" + }, + "agentVersion" : "6.14.0", + "uiUrl" : "https://teamserver-scantest.contsec.com/Contrast/static/ng/index.html#/203ae021-7e10-4356-ad6e-0c4b94d8511e/attack-events/1678918a-103f-4030-a416-3b8766e47e19?groupBy=&dateRange-type=CUSTOM_DATE_RANGE&dateRange-startDate=1747217573585&dateRange-endDate=1747217693585&applicationId=08f46d44-b7da-4978-b903-fcce249f457a" + } + result: + custom: + agentVersion: "6.14.0" + apiUri: "/api/v4/organizations/203ae021-7e10-4356-ad6e-0c4b94d8511e/applications/08f46d44-b7da-4978-b903-fcce249f457a/attack-events/1678918a-103f-4030-a416-3b8766e47e19" + application: + agentLanguage: "java" + id: "08f46d44-b7da-4978-b903-fcce249f457a" + name: "Web-Application-thib" + attackPayload: + attackerInput: + applicableAttack: false + confirmedAttack: false + documentPath: "/abc" + documentType: "NORMAL" + effectiveAttack: false + inputType: "PARAMETER_VALUE" + name: "lastName" + patternsMatched: + - "PIDS-SQLI-42A,PIDS-SQLI-44C,TRUING_STRING_INJ,PIDS-SQLI-4001" + url: "/owner" + value: "' or 1=1; # antwerp" + cloudProvider: "UNKNOWN" + codeLocation: + file: "HikariProxyStatement.java" + method: "executeQuery()" + stack: + - + fileName: "HikariProxyStatement.java" + shortSummary: "executeQuery() @ HikariProxyStatement.java:-1" + description: "com.zaxxer.hikari.pool.HikariProxyStatement.executeQuery(HikariProxyStatement.java:-1)" + methodName: "executeQuery" + className: "com.zaxxer.hikari.pool.HikariProxyStatement" + type: "frameSink" + lineNumber: -1 + - + fileName: "ObservationFilterChainDecorator.java" + shortSummary: "wrapFilter() @ ObservationFilterChainDecorator.java:240" + description: "org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)" + methodName: "wrapFilter" + className: "org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter" + type: "frameCommon" + lineNumber: 240 + - + fileName: "ObservationFilterChainDecorator.java" + shortSummary: "doFilter() @ ObservationFilterChainDecorator.java:227" + description: "org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)" + methodName: "doFilter" + className: "org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter" + type: "frameCommon" + lineNumber: 227 + detectedTime: "1760339848000" + environment: "production" + eventUuid: "1678918a-103f-4030-a416-3b8766e47e19" + host: + hostname: "bb8989bc" + isDocker: true + operatingSystem: "Linux 6.10.14-linuxkit aarch64" + runtimePath: "/opt/java/openjdk/bin/java" + runtimeVersion: "OpenJDK Runtime Environment 17.0.14+7" + incident_id: "INC-2025-c51" + mitreTactics: + - + id: "TA0001" + url: "https://attack.mitre.org/tactics/TA0001/" + - + id: "TA0002" + url: "https://attack.mitre.org/tactics/TA0002/" + - + id: "TA0003" + url: "https://attack.mitre.org/tactics/TA0003/" + - + id: "TA0004" + url: "https://attack.mitre.org/tactics/TA0004/" + - + id: "TA0005" + url: "https://attack.mitre.org/tactics/TA0005/" + - + id: "TA0006" + url: "https://attack.mitre.org/tactics/TA0006/" + - + id: "TA0007" + url: "https://attack.mitre.org/tactics/TA0007/" + - + id: "TA0009" + url: "https://attack.mitre.org/tactics/TA0009/" + - + id: "TA0010" + url: "https://attack.mitre.org/tactics/TA0010/" + organizationUuid: "203ae021-7e10-4356-ad6e-0c4b94d8511e" + productName: "ContrastADR" + request: + headers: + Cookie: + - "JSESSIONID=EB2C548D2789AEFB92E843E958D2410E" + accept: + - "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" + accept-encoding: + - "gzip, deflate, br, zstd" + accept-language: + - "en-GB,en-US;q=0.9,en;q=0.8" + connection: + - "keep-alive" + host: + - "localhost:8080" + referer: + - "http://localhost:8080/customers/find" + sec-ch-ua: + - "\"Chromium\";v=\"136\", \"Google Chrome\";v=\"136\", \"Not.A/Brand\";v=\"99\"" + sec-ch-ua-mobile: + - "?0" + sec-ch-ua-platform: + - "\"macOS\"" + sec-fetch-dest: + - "document" + sec-fetch-mode: + - "navigate" + sec-fetch-site: + - "same-origin" + sec-fetch-user: + - "?1" + upgrade-insecure-requests: + - "1" + user-agent: + - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36" + method: "GET" + parameters: + lastName: + - "contrast-redacted-name" + protocol: "http" + protocolVersion: "1.1" + queryString: "lastName=contrast-redacted-name" + result: "exploited" + rule: "sql-injection" + ruleUuid: "ssjs-injection" + server: + id: "27958" + name: "Petclinic-thib" + severity: "critical" + sourceIp: "7.7.7.7.7.8" + uiUrl: "https://teamserver-scantest.contsec.com/Contrast/static/ng/index.html#/203ae021-7e10-4356-ad6e-0c4b94d8511e/attack-events/1678918a-103f-4030-a416-3b8766e47e19?groupBy=&dateRange-type=CUSTOM_DATE_RANGE&dateRange-startDate=1747217573585&dateRange-endDate=1747217693585&applicationId=08f46d44-b7da-4978-b903-fcce249f457a" + url: "/customers" + vectorAnalysis: + callLocation: "org.springframework.samples.petclinic.customer.CustomerRepository.findByLastName(CustomerRepository.java:31)" + vectorFields: + query: "SELECT DISTINCT * FROM customers WHERE customers.last_name LIKE '%' or 1=1; # antwerp%'" + ruleUuid: "sql-injection" + message: |- { "severity" : "critical", "detectedTime" : "1760339848000", @@ -140,344 +427,53 @@ tests: "agentVersion" : "6.14.0", "uiUrl" : "https://teamserver-scantest.contsec.com/Contrast/static/ng/index.html#/203ae021-7e10-4356-ad6e-0c4b94d8511e/attack-events/1678918a-103f-4030-a416-3b8766e47e19?groupBy=&dateRange-type=CUSTOM_DATE_RANGE&dateRange-startDate=1747217573585&dateRange-endDate=1747217693585&applicationId=08f46d44-b7da-4978-b903-fcce249f457a" } - result: - custom: - agentVersion: "6.14.0" - apiUri: "/api/v4/organizations/203ae021-7e10-4356-ad6e-0c4b94d8511e/applications/08f46d44-b7da-4978-b903-fcce249f457a/attack-events/1678918a-103f-4030-a416-3b8766e47e19" - application: - agentLanguage: "java" - id: "08f46d44-b7da-4978-b903-fcce249f457a" - name: "Web-Application-thib" - attackPayload: - attackerInput: - applicableAttack: false - confirmedAttack: false - documentPath: "/abc" - documentType: "NORMAL" - effectiveAttack: false - inputType: "PARAMETER_VALUE" - name: "lastName" - patternsMatched: - - "PIDS-SQLI-42A,PIDS-SQLI-44C,TRUING_STRING_INJ,PIDS-SQLI-4001" - url: "/owner" - value: "' or 1=1; # antwerp" - cloudProvider: "UNKNOWN" - codeLocation: - file: "HikariProxyStatement.java" - method: "executeQuery()" - stack: - - fileName: "HikariProxyStatement.java" - shortSummary: "executeQuery() @ HikariProxyStatement.java:-1" - description: "com.zaxxer.hikari.pool.HikariProxyStatement.executeQuery(HikariProxyStatement.java:-1)" - methodName: "executeQuery" - className: "com.zaxxer.hikari.pool.HikariProxyStatement" - type: "frameSink" - lineNumber: -1 - - fileName: "ObservationFilterChainDecorator.java" - shortSummary: "wrapFilter() @ ObservationFilterChainDecorator.java:240" - description: "org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)" - methodName: "wrapFilter" - className: "org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter" - type: "frameCommon" - lineNumber: 240 - - fileName: "ObservationFilterChainDecorator.java" - shortSummary: "doFilter() @ ObservationFilterChainDecorator.java:227" - description: "org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)" - methodName: "doFilter" - className: "org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter" - type: "frameCommon" - lineNumber: 227 - contrast_adr: - incident_id: "INC-2025-c51" - date: "1760339848000" - detectedTime: "1760339848000" - environment: "production" - eventUuid: "1678918a-103f-4030-a416-3b8766e47e19" - evt: - name: "sql-injection" - outcome: "exploited" - host: - hostname: "bb8989bc" - isDocker: true - operatingSystem: "Linux 6.10.14-linuxkit aarch64" - runtimePath: "/opt/java/openjdk/bin/java" - runtimeVersion: "OpenJDK Runtime Environment 17.0.14+7" - http: - method: "GET" - referer: - - "http://localhost:8080/customers/find" - request: - headers: - Cookie: - - "JSESSIONID=EB2C548D2789AEFB92E843E958D2410E" - accept: - - "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" - accept-encoding: - - "gzip, deflate, br, zstd" - accept-language: - - "en-GB,en-US;q=0.9,en;q=0.8" - connection: - - "keep-alive" - host: - - "localhost:8080" - referer: - - "http://localhost:8080/customers/find" - sec-ch-ua: - - '"Chromium";v="136", "Google Chrome";v="136", "Not.A/Brand";v="99"' - sec-ch-ua-mobile: - - "?0" - sec-ch-ua-platform: - - '"macOS"' - sec-fetch-dest: - - "document" - sec-fetch-mode: - - "navigate" - sec-fetch-site: - - "same-origin" - sec-fetch-user: - - "?1" - upgrade-insecure-requests: - - "1" - user-agent: - - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36" - url_details: - host: - - "localhost:8080" - path: - path: "/api/v4/organizations/203ae021-7e10-4356-ad6e-0c4b94d8511e/applications/08f46d44-b7da-4978-b903-fcce249f457a/attack-events/1678918a-103f-4030-a416-3b8766e47e19" - queryString: "lastName=contrast-redacted-name" - scheme: "http" - user-agent: - - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36" - version: "1.1" - incident_id: "INC-2025-c51" - mitreTactics: - - id: "TA0001" - url: "https://attack.mitre.org/tactics/TA0001/" - - id: "TA0002" - url: "https://attack.mitre.org/tactics/TA0002/" - - id: "TA0003" - url: "https://attack.mitre.org/tactics/TA0003/" - - id: "TA0004" - url: "https://attack.mitre.org/tactics/TA0004/" - - id: "TA0005" - url: "https://attack.mitre.org/tactics/TA0005/" - - id: "TA0006" - url: "https://attack.mitre.org/tactics/TA0006/" - - id: "TA0007" - url: "https://attack.mitre.org/tactics/TA0007/" - - id: "TA0009" - url: "https://attack.mitre.org/tactics/TA0009/" - - id: "TA0010" - url: "https://attack.mitre.org/tactics/TA0010/" - network: - host: - ip: "7.7.7.7.7.8" - name: "bb8989bc" - organizationUuid: "203ae021-7e10-4356-ad6e-0c4b94d8511e" - productName: "ContrastADR" - request: - headers: - Cookie: - - "JSESSIONID=EB2C548D2789AEFB92E843E958D2410E" - accept: - - "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" - accept-encoding: - - "gzip, deflate, br, zstd" - accept-language: - - "en-GB,en-US;q=0.9,en;q=0.8" - connection: - - "keep-alive" - host: - - "localhost:8080" - referer: - - "http://localhost:8080/customers/find" - sec-ch-ua: - - '"Chromium";v="136", "Google Chrome";v="136", "Not.A/Brand";v="99"' - sec-ch-ua-mobile: - - "?0" - sec-ch-ua-platform: - - '"macOS"' - sec-fetch-dest: - - "document" - sec-fetch-mode: - - "navigate" - sec-fetch-site: - - "same-origin" - sec-fetch-user: - - "?1" - upgrade-insecure-requests: - - "1" - user-agent: - - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36" - method: "GET" - parameters: - lastName: - - "contrast-redacted-name" - protocol: "http" - protocolVersion: "1.1" - queryString: "lastName=contrast-redacted-name" - result: "exploited" - rule: "sql-injection" - ruleUuid: "ssjs-injection" - server: - id: "27958" - name: "Petclinic-thib" - severity: "critical" - sourceIp: "7.7.7.7.7.8" - uiUrl: "https://teamserver-scantest.contsec.com/Contrast/static/ng/index.html#/203ae021-7e10-4356-ad6e-0c4b94d8511e/attack-events/1678918a-103f-4030-a416-3b8766e47e19?groupBy=&dateRange-type=CUSTOM_DATE_RANGE&dateRange-startDate=1747217573585&dateRange-endDate=1747217693585&applicationId=08f46d44-b7da-4978-b903-fcce249f457a" - url: "/customers" - vectorAnalysis: - callLocation: "org.springframework.samples.petclinic.customer.CustomerRepository.findByLastName(CustomerRepository.java:31)" - vectorFields: - query: "SELECT DISTINCT * FROM customers WHERE customers.last_name LIKE '%' or 1=1; # antwerp%'" - ruleUuid: "sql-injection" - version: "6.14.0" - message: |- - { - "severity" : "critical", - "detectedTime" : "1760339848000", - "server" : { - "name" : "Petclinic-thib", - "id" : "27958" - }, - "request" : { - "headers" : { - "Cookie" : [ "JSESSIONID=EB2C548D2789AEFB92E843E958D2410E" ], - "sec-fetch-mode" : [ "navigate" ], - "referer" : [ "http://localhost:8080/customers/find" ], - "sec-fetch-site" : [ "same-origin" ], - "accept-language" : [ "en-GB,en-US;q=0.9,en;q=0.8" ], - "sec-fetch-user" : [ "?1" ], - "accept" : [ "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" ], - "sec-ch-ua" : [ "\"Chromium\";v=\"136\", \"Google Chrome\";v=\"136\", \"Not.A/Brand\";v=\"99\"" ], - "sec-ch-ua-mobile" : [ "?0" ], - "sec-ch-ua-platform" : [ "\"macOS\"" ], - "host" : [ "localhost:8080" ], - "upgrade-insecure-requests" : [ "1" ], - "connection" : [ "keep-alive" ], - "accept-encoding" : [ "gzip, deflate, br, zstd" ], - "sec-fetch-dest" : [ "document" ], - "user-agent" : [ "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36" ] - }, - "protocol" : "http", - "method" : "GET", - "protocolVersion" : "1.1", - "queryString" : "lastName=contrast-redacted-name", - "parameters" : { - "lastName" : [ "contrast-redacted-name" ] - } - }, - "vectorAnalysis" : { - "vectorFields" : { - "ruleUuid" : "sql-injection", - "query" : "SELECT DISTINCT * FROM customers WHERE customers.last_name LIKE '%' or 1=1; # antwerp%'" - }, - "callLocation" : "org.springframework.samples.petclinic.customer.CustomerRepository.findByLastName(CustomerRepository.java:31)" - }, - "attackPayload" : { - "attackerInput" : { - "confirmedAttack" : false, - "documentType" : "NORMAL", - "effectiveAttack" : false, - "name" : "lastName", - "applicableAttack" : false, - "inputType" : "PARAMETER_VALUE", - "patternsMatched" : [ "PIDS-SQLI-42A,PIDS-SQLI-44C,TRUING_STRING_INJ,PIDS-SQLI-4001" ], - "documentPath" : "/abc" - }, - "value" : "' or 1=1; # antwerp", - "url" : "/owner" - }, - "rule" : "sql-injection", - "eventUuid" : "1678918a-103f-4030-a416-3b8766e47e19", - "productName" : "ContrastADR", - "url" : "/customers", - "result" : "exploited", - "environment" : "production", - "organizationUuid" : "203ae021-7e10-4356-ad6e-0c4b94d8511e", - "incident_id" : "INC-2025-c51", - "apiUri" : "/api/v4/organizations/203ae021-7e10-4356-ad6e-0c4b94d8511e/applications/08f46d44-b7da-4978-b903-fcce249f457a/attack-events/1678918a-103f-4030-a416-3b8766e47e19", - "mitreTactics" : [ { - "id" : "TA0001", - "url" : "https://attack.mitre.org/tactics/TA0001/" - }, { - "id" : "TA0002", - "url" : "https://attack.mitre.org/tactics/TA0002/" - }, { - "id" : "TA0003", - "url" : "https://attack.mitre.org/tactics/TA0003/" - }, { - "id" : "TA0004", - "url" : "https://attack.mitre.org/tactics/TA0004/" - }, { - "id" : "TA0005", - "url" : "https://attack.mitre.org/tactics/TA0005/" - }, { - "id" : "TA0006", - "url" : "https://attack.mitre.org/tactics/TA0006/" - }, { - "id" : "TA0007", - "url" : "https://attack.mitre.org/tactics/TA0007/" - }, { - "id" : "TA0009", - "url" : "https://attack.mitre.org/tactics/TA0009/" - }, { - "id" : "TA0010", - "url" : "https://attack.mitre.org/tactics/TA0010/" - } ], - "application" : { - "name" : "Web-Application-thib", - "agentLanguage" : "java", - "id" : "08f46d44-b7da-4978-b903-fcce249f457a" - }, - "sourceIp" : "7.7.7.7.7.8", - "codeLocation" : { - "stack" : [ { - "fileName" : "HikariProxyStatement.java", - "shortSummary" : "executeQuery() @ HikariProxyStatement.java:-1", - "description" : "com.zaxxer.hikari.pool.HikariProxyStatement.executeQuery(HikariProxyStatement.java:-1)", - "methodName" : "executeQuery", - "className" : "com.zaxxer.hikari.pool.HikariProxyStatement", - "type" : "frameSink", - "lineNumber" : -1 - }, { - "fileName" : "ObservationFilterChainDecorator.java", - "shortSummary" : "wrapFilter() @ ObservationFilterChainDecorator.java:240", - "description" : "org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)", - "methodName" : "wrapFilter", - "className" : "org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter", - "type" : "frameCommon", - "lineNumber" : 240 - }, { - "fileName" : "ObservationFilterChainDecorator.java", - "shortSummary" : "doFilter() @ ObservationFilterChainDecorator.java:227", - "description" : "org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)", - "methodName" : "doFilter", - "className" : "org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter", - "type" : "frameCommon", - "lineNumber" : 227 - } ], - "file" : "HikariProxyStatement.java", - "method" : "executeQuery()" - }, - "ruleUuid" : "ssjs-injection", - "cloudProvider" : "UNKNOWN", - "host" : { - "runtimeVersion" : "OpenJDK Runtime Environment 17.0.14+7", - "hostname" : "bb8989bc", - "runtimePath" : "/opt/java/openjdk/bin/java", - "isDocker" : true, - "operatingSystem" : "Linux 6.10.14-linuxkit aarch64" - }, - "agentVersion" : "6.14.0", - "uiUrl" : "https://teamserver-scantest.contsec.com/Contrast/static/ng/index.html#/203ae021-7e10-4356-ad6e-0c4b94d8511e/attack-events/1678918a-103f-4030-a416-3b8766e47e19?groupBy=&dateRange-type=CUSTOM_DATE_RANGE&dateRange-startDate=1747217573585&dateRange-endDate=1747217693585&applicationId=08f46d44-b7da-4978-b903-fcce249f457a" - } - status: "critical" - tags: - - "source:LOGS_SOURCE" - timestamp: 1 - - sample: |- + tags: + - "source:LOGS_SOURCE" + - + sample: |- + { + "severity" : "Critical", + "summary" : " observed the following suspicious value accessing the application through the HTTP Request Parameter query cat /etc/passwd", + "alertType" : "incident_created", + "alertReason" : "Incident Created", + "source" : "security", + "eventType" : "incidentalert", + "recommendedRunbooks" : [ "https://dev/adr-runbooks/runbooks/path-traversal/" ], + "url" : "https://apptwo.com/cs/index.html#/0f767995-4882-4c7c-889f-994d945ff0d5/incidents/INC-2025-6", + "relatedRules" : [ "path-traversal" ], + "score" : 9.3, + "organizationUuid" : "0f767995-4882-4c7c-889f-994d945ff0d5", + "createdTime" : "2025-10-08T12:22:23.0000Z", + "recommendedActions" : [ "We did not block this attack because blocking was not enabled for DM-ADR-Web-Application in Production.", "Add an exclusion for this attack event." ], + "incidentId" : "INC-2025-c11", + "incidentName" : "Path Traversal on \"/postjsoncmd\"", + "status" : "Open", + "timestamp" : "2025-10-08T12:08:22.0000Z" + } + result: + custom: + alertReason: "Incident Created" + alertType: "incident_created" + createdTime: "2025-10-08T12:22:23.0000Z" + eventType: "incidentalert" + incidentId: "INC-2025-c11" + incidentName: "Path Traversal on \"/postjsoncmd\"" + organizationUuid: "0f767995-4882-4c7c-889f-994d945ff0d5" + recommendedActions: + - "We did not block this attack because blocking was not enabled for DM-ADR-Web-Application in Production." + - "Add an exclusion for this attack event." + recommendedRunbooks: + - "https://dev/adr-runbooks/runbooks/path-traversal/" + relatedRules: + - "path-traversal" + score: 9.3 + severity: "Critical" + source: "security" + status: "Open" + summary: " observed the following suspicious value accessing the application through the HTTP Request Parameter query cat /etc/passwd" + timestamp: "2025-10-08T12:08:22.0000Z" + url: "https://apptwo.com/cs/index.html#/0f767995-4882-4c7c-889f-994d945ff0d5/incidents/INC-2025-6" + message: |- { "severity" : "Critical", "summary" : " observed the following suspicious value accessing the application through the HTTP Request Parameter query cat /etc/passwd", @@ -497,56 +493,5 @@ tests: "status" : "Open", "timestamp" : "2025-10-08T12:08:22.0000Z" } - result: - custom: - alertReason: "Incident Created" - alertType: "incident_created" - createdTime: "2025-10-08T12:22:23.0000Z" - date: "2025-10-08T12:22:23.0000Z" - eventType: "incidentalert" - incidentId: "INC-2025-c11" - incidentName: 'Path Traversal on "/postjsoncmd"' - organizationUuid: "0f767995-4882-4c7c-889f-994d945ff0d5" - recommendedActions: - - "We did not block this attack because blocking was not enabled for DM-ADR-Web-Application in Production." - - "Add an exclusion for this attack event." - recommendedRunbooks: - - "https://dev/adr-runbooks/runbooks/path-traversal/" - relatedRules: - - "path-traversal" - resource: - type: "incidentalert" - url: "https://apptwo.com/cs/index.html#/0f767995-4882-4c7c-889f-994d945ff0d5/incidents/INC-2025-6" - score: 9.3 - severity: "Critical" - source: "security" - status: "Open" - summary: " observed the following suspicious value accessing the application through the HTTP Request Parameter query cat /etc/passwd" - syslog: - severity: 9.3 - timestamp: "2025-10-08T12:08:22.0000Z" - url: "https://apptwo.com/cs/index.html#/0f767995-4882-4c7c-889f-994d945ff0d5/incidents/INC-2025-6" - message: |- - { - "severity" : "Critical", - "summary" : " observed the following suspicious value accessing the application through the HTTP Request Parameter query cat /etc/passwd", - "alertType" : "incident_created", - "alertReason" : "Incident Created", - "source" : "security", - "eventType" : "incidentalert", - "recommendedRunbooks" : [ "https://dev/adr-runbooks/runbooks/path-traversal/" ], - "url" : "https://apptwo.com/cs/index.html#/0f767995-4882-4c7c-889f-994d945ff0d5/incidents/INC-2025-6", - "relatedRules" : [ "path-traversal" ], - "score" : 9.3, - "organizationUuid" : "0f767995-4882-4c7c-889f-994d945ff0d5", - "createdTime" : "2025-10-08T12:22:23.0000Z", - "recommendedActions" : [ "We did not block this attack because blocking was not enabled for DM-ADR-Web-Application in Production.", "Add an exclusion for this attack event." ], - "incidentId" : "INC-2025-c11", - "incidentName" : "Path Traversal on \"/postjsoncmd\"", - "status" : "Open", - "timestamp" : "2025-10-08T12:08:22.0000Z" - } - status: "critical" - tags: - - "source:LOGS_SOURCE" - timestamp: 1759926143000 + tags: + - "source:LOGS_SOURCE" diff --git a/contrast_security_adr/assets/security/confirmed_dlp_event_received_from_contrast_adr.json b/contrast_security_adr/assets/security/confirmed_dlp_event_received_from_contrast_adr.json index d8d17c9ac7..47b3c0c3c0 100644 --- a/contrast_security_adr/assets/security/confirmed_dlp_event_received_from_contrast_adr.json +++ b/contrast_security_adr/assets/security/confirmed_dlp_event_received_from_contrast_adr.json @@ -1,6 +1,6 @@ { "name": "Confirmed DLP event received from Contrast ADR", - "partnerRuleId": "ext-00w-f8n", + "partnerRuleId": "ext-00q-86x", "message": "### Summary:\nDLP Alert Confirmed {{@evt.outcome}} by Contrast ADR on {{@url}} endpoint of {{@application.name}}\n\n#### sub-query/drill-down searches:\n list of matching alerts and events from both sources for the same source ip, target ip address\n \n### Actions:\n\n View recommended actions at https://contrastsecurity.dev/adr-runbooks/runbooks/{{@rule}}\n\nView in Contrast Security ADR: {{@uiUrl}}", "createdAt": 1749466228666, "isDefault": false, @@ -46,9 +46,7 @@ "condition": "a > 0 && b > 0" } ], - "tags": [ - "source:contrast-security-adr" - ], + "tags": [], "hasExtendedTitle": true, "type": "log_detection", "filters": [], diff --git a/contrast_security_adr/assets/security/confirmed_waf_alert_received_from_contrast_adr.json b/contrast_security_adr/assets/security/confirmed_waf_alert_received_from_contrast_adr.json index c69eae340f..a91977f815 100644 --- a/contrast_security_adr/assets/security/confirmed_waf_alert_received_from_contrast_adr.json +++ b/contrast_security_adr/assets/security/confirmed_waf_alert_received_from_contrast_adr.json @@ -1,6 +1,6 @@ { "name": "Confirmed WAF alert received from Contrast ADR", - "partnerRuleId": "ext-00g-gwc", + "partnerRuleId": "ext-00p-vp8", "message": "### Summary:\nWAF Alert Confirmed {{@evt.outcome}} by Contrast ADR on {{@url}} endpoint of {{@application.name}}\n\n#### sub-query/drill-down searches:\n list of matching alerts and events from both sources for the same source ip, target ip address\n \n### Actions:\n\n View recommended actions at https://contrastsecurity.dev/adr-runbooks/runbooks/{{@rule}}\n\nView in Contrast Security ADR: {{@uiUrl}}", "createdAt": 1747814166967, "isDefault": false, @@ -46,9 +46,7 @@ "condition": "a > 0 && b > 0" } ], - "tags": [ - "source:contrast-security-adr" - ], + "tags": [], "hasExtendedTitle": true, "type": "log_detection", "filters": [], diff --git a/contrast_security_adr/assets/security/exploited_attack_event_received_from_contrast_adr.json b/contrast_security_adr/assets/security/exploited_attack_event_received_from_contrast_adr.json index 9249754347..d784050225 100644 --- a/contrast_security_adr/assets/security/exploited_attack_event_received_from_contrast_adr.json +++ b/contrast_security_adr/assets/security/exploited_attack_event_received_from_contrast_adr.json @@ -1,6 +1,6 @@ { "name": "Exploited attack event received from Contrast ADR", - "partnerRuleId": "ext-00r-ric", + "partnerRuleId": "ext-00p-fph", "message": "### Summary:\n{{@evt.outcome}} {{@rule}} from {{@source}} using {{@request.method}} on {{@url}} endpoint of {{@application.name}}\n\n### Actions:\n\n View recommended actions at https://contrastsecurity.dev/adr-runbooks/runbooks/{{@rule}}\n\nView in Contrast Security ADR: {{@uiUrl}}\n", "createdAt": 1747806810257, "isDefault": false, @@ -33,9 +33,7 @@ "condition": "a > 0" } ], - "tags": [ - "source:contrast-security-adr" - ], + "tags": [], "hasExtendedTitle": true, "type": "log_detection", "filters": [], diff --git a/contrast_security_adr/assets/security/exploited_attack_event_received_from_contrast_adr_in_production.json b/contrast_security_adr/assets/security/exploited_attack_event_received_from_contrast_adr_in_production.json index 22c1a4fd0f..1e3dc1ed85 100644 --- a/contrast_security_adr/assets/security/exploited_attack_event_received_from_contrast_adr_in_production.json +++ b/contrast_security_adr/assets/security/exploited_attack_event_received_from_contrast_adr_in_production.json @@ -1,6 +1,6 @@ { "name": "Exploited attack event received from Contrast ADR in production", - "partnerRuleId": "ext-00s-qxr", + "partnerRuleId": "ext-00q-ds5", "message": "### Summary:\n{{@evt.outcome}} {{@rule}} from {{@source}} using {{@request.method}} on {{@url}} endpoint of {{@application.name}}\n\n### Actions:\n\n View recommended actions at https://contrastsecurity.dev/adr-runbooks/runbooks/{{@rule}}\n\nView in Contrast Security ADR: {{@uiUrl}}\n", "createdAt": 1747809240984, "isDefault": false, @@ -35,9 +35,7 @@ "condition": "a > 0" } ], - "tags": [ - "source:contrast-security-adr" - ], + "tags": [], "hasExtendedTitle": true, "type": "log_detection", "filters": [], diff --git a/contrast_security_adr/assets/security/incident_event_received_from_contrast_adr.json b/contrast_security_adr/assets/security/incident_event_received_from_contrast_adr.json index 729deff25e..a0a99b192b 100644 --- a/contrast_security_adr/assets/security/incident_event_received_from_contrast_adr.json +++ b/contrast_security_adr/assets/security/incident_event_received_from_contrast_adr.json @@ -1,6 +1,6 @@ { "name": "Incident event received from Contrast ADR", - "partnerRuleId": "ext-00o-ysa", + "partnerRuleId": "ext-00f-5uk", "message": "### Summary:\n### sub-query/drill-down searches:\nsource=\"Contrast\" AND organizationId = {{@organizationUuid}} AND incidentId = {{@incidentId}}\n### Actions:\nView recommended runbook at {{@recommendedRunbooks}}\nView in Contrast Security ADR: {{@url}}\n", "createdAt": 1747811769280, "isDefault": false, @@ -35,9 +35,7 @@ "condition": "a > 0" } ], - "tags": [ - "source:contrast-security-adr" - ], + "tags": [], "hasExtendedTitle": true, "type": "log_detection", "filters": [], diff --git a/contrast_security_adr/manifest.json b/contrast_security_adr/manifest.json index 375d04c69f..52af502dde 100644 --- a/contrast_security_adr/manifest.json +++ b/contrast_security_adr/manifest.json @@ -1,6 +1,5 @@ { "app_id": "contrast-security-adr", - "owner": "integrations-developer-platform", "app_uuid": "01967c4b-c618-7f2d-9af8-db3506afd1b5", "manifest_version": "2.0.0", "display_on_public_website": true, From 4c63306140eee44cd415571f4b52e0b83c1c59eb Mon Sep 17 00:00:00 2001 From: "dd-pub-platform[bot]" <157534740+dd-pub-platform[bot]@users.noreply.github.com> Date: Tue, 2 Dec 2025 13:23:30 +0000 Subject: [PATCH 2/8] Update Contrast Security ADR integration --- .../dashboards/contrast_security_adr.json | 2 +- .../assets/logs/contrast-security-adr.yaml | 15 +++ .../logs/contrast-security-adr_tests.yaml | 111 +++++++++--------- ..._dlp_event_received_from_contrast_adr.json | 14 +-- ..._waf_alert_received_from_contrast_adr.json | 20 ++-- ...ck_event_received_from_contrast_adr_.json} | 14 +-- ...eived_from_contrast_adr_in_production.json | 32 +++-- ...dent_event_received_from_contrast_adr.json | 16 +-- 8 files changed, 121 insertions(+), 103 deletions(-) rename contrast_security_adr/assets/security/{exploited_attack_event_received_from_contrast_adr.json => exploited_attack_event_received_from_contrast_adr_.json} (84%) diff --git a/contrast_security_adr/assets/dashboards/contrast_security_adr.json b/contrast_security_adr/assets/dashboards/contrast_security_adr.json index 99a7dd3c65..757cc05cb0 100644 --- a/contrast_security_adr/assets/dashboards/contrast_security_adr.json +++ b/contrast_security_adr/assets/dashboards/contrast_security_adr.json @@ -286,7 +286,7 @@ ], "response_format": "scalar", "sort": { - "count": 100, + "count": 10, "order_by": [ { "type": "formula", diff --git a/contrast_security_adr/assets/logs/contrast-security-adr.yaml b/contrast_security_adr/assets/logs/contrast-security-adr.yaml index 948f63b3f5..4c72f040fc 100644 --- a/contrast_security_adr/assets/logs/contrast-security-adr.yaml +++ b/contrast_security_adr/assets/logs/contrast-security-adr.yaml @@ -46,6 +46,11 @@ facets: name: Event Name path: evt.name source: log + - groups: + - Web Access + name: OS + path: http.useragent_details.os.family + source: log - description: "" facetType: list groups: @@ -280,6 +285,16 @@ pipeline: targetType: attribute preserveSource: true overrideOnConflict: false + - type: attribute-remapper + name: Map `host.operatingSystem` to `http.useragent_details.os.family` + enabled: true + sources: + - host.operatingSystem + sourceType: attribute + target: http.useragent_details.os.family + targetType: attribute + preserveSource: true + overrideOnConflict: false - type: status-remapper name: " Map `severity` to `status`" enabled: true diff --git a/contrast_security_adr/assets/logs/contrast-security-adr_tests.yaml b/contrast_security_adr/assets/logs/contrast-security-adr_tests.yaml index 05af3031f4..dc96cf7381 100644 --- a/contrast_security_adr/assets/logs/contrast-security-adr_tests.yaml +++ b/contrast_security_adr/assets/logs/contrast-security-adr_tests.yaml @@ -4,7 +4,7 @@ tests: sample: |- { "severity" : "critical", - "detectedTime" : "1760339848000", + "detectedTime" : "1764161753000", "server" : { "name" : "Petclinic-thib", "id" : "27958" @@ -61,7 +61,7 @@ tests: "eventUuid" : "1678918a-103f-4030-a416-3b8766e47e19", "productName" : "ContrastADR", "url" : "/customers", - "result" : "exploited", + "result" : "BLOCKED", "environment" : "production", "organizationUuid" : "203ae021-7e10-4356-ad6e-0c4b94d8511e", "incident_id" : "INC-2025-c51", @@ -72,15 +72,6 @@ tests: }, { "id" : "TA0002", "url" : "https://attack.mitre.org/tactics/TA0002/" - }, { - "id" : "TA0003", - "url" : "https://attack.mitre.org/tactics/TA0003/" - }, { - "id" : "TA0004", - "url" : "https://attack.mitre.org/tactics/TA0004/" - }, { - "id" : "TA0005", - "url" : "https://attack.mitre.org/tactics/TA0005/" }, { "id" : "TA0006", "url" : "https://attack.mitre.org/tactics/TA0006/" @@ -99,16 +90,16 @@ tests: "agentLanguage" : "java", "id" : "08f46d44-b7da-4978-b903-fcce249f457a" }, - "sourceIp" : "7.7.7.7.7.8", + "sourceIp" : "7.7.7.7.7.10", "codeLocation" : { "stack" : [ { - "fileName" : "HikariProxyStatement.java", - "shortSummary" : "executeQuery() @ HikariProxyStatement.java:-1", - "description" : "com.zaxxer.hikari.pool.HikariProxyStatement.executeQuery(HikariProxyStatement.java:-1)", - "methodName" : "executeQuery", - "className" : "com.zaxxer.hikari.pool.HikariProxyStatement", - "type" : "frameSink", - "lineNumber" : -1 + "fileName" : "SecurityContextHolderAwareRequestFilter.java", + "shortSummary" : "doFilter() @ SecurityContextHolderAwareRequestFilter.java:179", + "description" : "org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:179)", + "methodName" : "doFilter", + "className" : "org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter", + "type" : "frameCommon", + "lineNumber" : 179 }, { "fileName" : "ObservationFilterChainDecorator.java", "shortSummary" : "wrapFilter() @ ObservationFilterChainDecorator.java:240", @@ -125,6 +116,14 @@ tests: "className" : "org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter", "type" : "frameCommon", "lineNumber" : 227 + }, { + "fileName" : "ObservationFilterChainDecorator.java", + "shortSummary" : "doFilter() @ ObservationFilterChainDecorator.java:137", + "description" : "org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)", + "methodName" : "doFilter", + "className" : "org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain", + "type" : "frameCommon", + "lineNumber" : 137 } ], "file" : "HikariProxyStatement.java", "method" : "executeQuery()" @@ -168,13 +167,13 @@ tests: method: "executeQuery()" stack: - - fileName: "HikariProxyStatement.java" - shortSummary: "executeQuery() @ HikariProxyStatement.java:-1" - description: "com.zaxxer.hikari.pool.HikariProxyStatement.executeQuery(HikariProxyStatement.java:-1)" - methodName: "executeQuery" - className: "com.zaxxer.hikari.pool.HikariProxyStatement" - type: "frameSink" - lineNumber: -1 + fileName: "SecurityContextHolderAwareRequestFilter.java" + shortSummary: "doFilter() @ SecurityContextHolderAwareRequestFilter.java:179" + description: "org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:179)" + methodName: "doFilter" + className: "org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter" + type: "frameCommon" + lineNumber: 179 - fileName: "ObservationFilterChainDecorator.java" shortSummary: "wrapFilter() @ ObservationFilterChainDecorator.java:240" @@ -191,7 +190,15 @@ tests: className: "org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter" type: "frameCommon" lineNumber: 227 - detectedTime: "1760339848000" + - + fileName: "ObservationFilterChainDecorator.java" + shortSummary: "doFilter() @ ObservationFilterChainDecorator.java:137" + description: "org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)" + methodName: "doFilter" + className: "org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain" + type: "frameCommon" + lineNumber: 137 + detectedTime: "1764161753000" environment: "production" eventUuid: "1678918a-103f-4030-a416-3b8766e47e19" host: @@ -208,15 +215,6 @@ tests: - id: "TA0002" url: "https://attack.mitre.org/tactics/TA0002/" - - - id: "TA0003" - url: "https://attack.mitre.org/tactics/TA0003/" - - - id: "TA0004" - url: "https://attack.mitre.org/tactics/TA0004/" - - - id: "TA0005" - url: "https://attack.mitre.org/tactics/TA0005/" - id: "TA0006" url: "https://attack.mitre.org/tactics/TA0006/" @@ -272,14 +270,14 @@ tests: protocol: "http" protocolVersion: "1.1" queryString: "lastName=contrast-redacted-name" - result: "exploited" + result: "BLOCKED" rule: "sql-injection" ruleUuid: "ssjs-injection" server: id: "27958" name: "Petclinic-thib" severity: "critical" - sourceIp: "7.7.7.7.7.8" + sourceIp: "7.7.7.7.7.10" uiUrl: "https://teamserver-scantest.contsec.com/Contrast/static/ng/index.html#/203ae021-7e10-4356-ad6e-0c4b94d8511e/attack-events/1678918a-103f-4030-a416-3b8766e47e19?groupBy=&dateRange-type=CUSTOM_DATE_RANGE&dateRange-startDate=1747217573585&dateRange-endDate=1747217693585&applicationId=08f46d44-b7da-4978-b903-fcce249f457a" url: "/customers" vectorAnalysis: @@ -290,7 +288,7 @@ tests: message: |- { "severity" : "critical", - "detectedTime" : "1760339848000", + "detectedTime" : "1764161753000", "server" : { "name" : "Petclinic-thib", "id" : "27958" @@ -347,7 +345,7 @@ tests: "eventUuid" : "1678918a-103f-4030-a416-3b8766e47e19", "productName" : "ContrastADR", "url" : "/customers", - "result" : "exploited", + "result" : "BLOCKED", "environment" : "production", "organizationUuid" : "203ae021-7e10-4356-ad6e-0c4b94d8511e", "incident_id" : "INC-2025-c51", @@ -358,15 +356,6 @@ tests: }, { "id" : "TA0002", "url" : "https://attack.mitre.org/tactics/TA0002/" - }, { - "id" : "TA0003", - "url" : "https://attack.mitre.org/tactics/TA0003/" - }, { - "id" : "TA0004", - "url" : "https://attack.mitre.org/tactics/TA0004/" - }, { - "id" : "TA0005", - "url" : "https://attack.mitre.org/tactics/TA0005/" }, { "id" : "TA0006", "url" : "https://attack.mitre.org/tactics/TA0006/" @@ -385,16 +374,16 @@ tests: "agentLanguage" : "java", "id" : "08f46d44-b7da-4978-b903-fcce249f457a" }, - "sourceIp" : "7.7.7.7.7.8", + "sourceIp" : "7.7.7.7.7.10", "codeLocation" : { "stack" : [ { - "fileName" : "HikariProxyStatement.java", - "shortSummary" : "executeQuery() @ HikariProxyStatement.java:-1", - "description" : "com.zaxxer.hikari.pool.HikariProxyStatement.executeQuery(HikariProxyStatement.java:-1)", - "methodName" : "executeQuery", - "className" : "com.zaxxer.hikari.pool.HikariProxyStatement", - "type" : "frameSink", - "lineNumber" : -1 + "fileName" : "SecurityContextHolderAwareRequestFilter.java", + "shortSummary" : "doFilter() @ SecurityContextHolderAwareRequestFilter.java:179", + "description" : "org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:179)", + "methodName" : "doFilter", + "className" : "org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter", + "type" : "frameCommon", + "lineNumber" : 179 }, { "fileName" : "ObservationFilterChainDecorator.java", "shortSummary" : "wrapFilter() @ ObservationFilterChainDecorator.java:240", @@ -411,6 +400,14 @@ tests: "className" : "org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter", "type" : "frameCommon", "lineNumber" : 227 + }, { + "fileName" : "ObservationFilterChainDecorator.java", + "shortSummary" : "doFilter() @ ObservationFilterChainDecorator.java:137", + "description" : "org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)", + "methodName" : "doFilter", + "className" : "org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain", + "type" : "frameCommon", + "lineNumber" : 137 } ], "file" : "HikariProxyStatement.java", "method" : "executeQuery()" diff --git a/contrast_security_adr/assets/security/confirmed_dlp_event_received_from_contrast_adr.json b/contrast_security_adr/assets/security/confirmed_dlp_event_received_from_contrast_adr.json index 47b3c0c3c0..bd372c4f1d 100644 --- a/contrast_security_adr/assets/security/confirmed_dlp_event_received_from_contrast_adr.json +++ b/contrast_security_adr/assets/security/confirmed_dlp_event_received_from_contrast_adr.json @@ -1,7 +1,7 @@ { "name": "Confirmed DLP event received from Contrast ADR", - "partnerRuleId": "ext-00q-86x", - "message": "### Summary:\nDLP Alert Confirmed {{@evt.outcome}} by Contrast ADR on {{@url}} endpoint of {{@application.name}}\n\n#### sub-query/drill-down searches:\n list of matching alerts and events from both sources for the same source ip, target ip address\n \n### Actions:\n\n View recommended actions at https://contrastsecurity.dev/adr-runbooks/runbooks/{{@rule}}\n\nView in Contrast Security ADR: {{@uiUrl}}", + "partnerRuleId": "ext-00k-owy", + "message": "### Summary:\n\nConfirmed active SQL Injection by Contrast ADR on {{@url}} endpoint of {{@application.name}}\n \n### Actions:\n\n View recommended actions at https://contrastsecurity.dev/adr-runbooks/runbooks/{{@rule}}\n\nView in Contrast Security ADR: {{@uiUrl}}", "createdAt": 1749466228666, "isDefault": false, "isPartner": false, @@ -50,9 +50,9 @@ "hasExtendedTitle": true, "type": "log_detection", "filters": [], - "version": 10, + "version": 22, "id": "xgy-cyz-hyl", - "updatedAt": 1756385774972, + "updatedAt": 1764678410070, "blocking": false, "metadata": { "entities": [], @@ -62,13 +62,13 @@ ] }, "creationAuthorId": 26956021, - "updateAuthorId": 37357442, + "updateAuthorId": 64082222, "creator": { "handle": "pranav.kalariya@contrastsecurity.com", "name": "Pranav Kalariya" }, "updater": { - "handle": "pavan.kulkarni@contrastsecurity.com", - "name": "Pavan Kulkarni" + "handle": "harsha.nagendra@contrastsecurity.com", + "name": "Harsha Nagendra" } } \ No newline at end of file diff --git a/contrast_security_adr/assets/security/confirmed_waf_alert_received_from_contrast_adr.json b/contrast_security_adr/assets/security/confirmed_waf_alert_received_from_contrast_adr.json index a91977f815..8166f820d1 100644 --- a/contrast_security_adr/assets/security/confirmed_waf_alert_received_from_contrast_adr.json +++ b/contrast_security_adr/assets/security/confirmed_waf_alert_received_from_contrast_adr.json @@ -1,7 +1,7 @@ { "name": "Confirmed WAF alert received from Contrast ADR", - "partnerRuleId": "ext-00p-vp8", - "message": "### Summary:\nWAF Alert Confirmed {{@evt.outcome}} by Contrast ADR on {{@url}} endpoint of {{@application.name}}\n\n#### sub-query/drill-down searches:\n list of matching alerts and events from both sources for the same source ip, target ip address\n \n### Actions:\n\n View recommended actions at https://contrastsecurity.dev/adr-runbooks/runbooks/{{@rule}}\n\nView in Contrast Security ADR: {{@uiUrl}}", + "partnerRuleId": "ext-00p-qi7", + "message": "### Summary:\nWAF Alert Confirmed {{@result}} by Contrast ADR on {{@url}} endpoint of {{@application.name}}\n \n### Actions:\n\n View recommended actions at https://contrastsecurity.dev/adr-runbooks/runbooks/{{@rule}}\n\nView in Contrast Security ADR: {{@uiUrl}}", "createdAt": 1747814166967, "isDefault": false, "isPartner": false, @@ -10,7 +10,7 @@ "isDeprecated": false, "queries": [ { - "query": "source:contrast-security-adr tags:attack_event @result:(EXPLOITED OR exploited OR BLOCKED OR blocked) service:ContrastADR", + "query": "source:contrast-security-adr tags:attack_event @result:((EXPLOITED OR exploited) OR (BLOCKED OR blocked)) service:ContrastADR", "groupByFields": [ "@sourceIp" ], @@ -33,7 +33,7 @@ } ], "options": { - "evaluationWindow": 900, + "evaluationWindow": 300, "detectionMethod": "threshold", "maxSignalDuration": 86400, "keepAlive": 3600 @@ -43,16 +43,16 @@ "name": "Condition 1", "status": "info", "notifications": [], - "condition": "a > 0 && b > 0" + "condition": "b > 0 && a > 0 " } ], "tags": [], "hasExtendedTitle": true, "type": "log_detection", "filters": [], - "version": 16, + "version": 37, "id": "lrk-h3m-hto", - "updatedAt": 1758182774632, + "updatedAt": 1764678406973, "blocking": false, "metadata": { "entities": [], @@ -62,13 +62,13 @@ ] }, "creationAuthorId": 22452697, - "updateAuthorId": 21357583, + "updateAuthorId": 64082222, "creator": { "handle": "pragati.gupta@contrastsecurity.com", "name": "Pragati Gupta" }, "updater": { - "handle": "thibault.barillon@contrastsecurity.com", - "name": "Thibault Barillon" + "handle": "harsha.nagendra@contrastsecurity.com", + "name": "Harsha Nagendra" } } \ No newline at end of file diff --git a/contrast_security_adr/assets/security/exploited_attack_event_received_from_contrast_adr.json b/contrast_security_adr/assets/security/exploited_attack_event_received_from_contrast_adr_.json similarity index 84% rename from contrast_security_adr/assets/security/exploited_attack_event_received_from_contrast_adr.json rename to contrast_security_adr/assets/security/exploited_attack_event_received_from_contrast_adr_.json index d784050225..05c935bebf 100644 --- a/contrast_security_adr/assets/security/exploited_attack_event_received_from_contrast_adr.json +++ b/contrast_security_adr/assets/security/exploited_attack_event_received_from_contrast_adr_.json @@ -1,6 +1,6 @@ { - "name": "Exploited attack event received from Contrast ADR", - "partnerRuleId": "ext-00p-fph", + "name": "Exploited attack event received from Contrast ADR ", + "partnerRuleId": "ext-00h-brz", "message": "### Summary:\n{{@evt.outcome}} {{@rule}} from {{@source}} using {{@request.method}} on {{@url}} endpoint of {{@application.name}}\n\n### Actions:\n\n View recommended actions at https://contrastsecurity.dev/adr-runbooks/runbooks/{{@rule}}\n\nView in Contrast Security ADR: {{@uiUrl}}\n", "createdAt": 1747806810257, "isDefault": false, @@ -37,9 +37,9 @@ "hasExtendedTitle": true, "type": "log_detection", "filters": [], - "version": 13, + "version": 21, "id": "ohm-81g-zoc", - "updatedAt": 1758182776864, + "updatedAt": 1764678413790, "blocking": false, "metadata": { "entities": [], @@ -48,13 +48,13 @@ ] }, "creationAuthorId": 22452697, - "updateAuthorId": 21357583, + "updateAuthorId": 64082222, "creator": { "handle": "pragati.gupta@contrastsecurity.com", "name": "Pragati Gupta" }, "updater": { - "handle": "thibault.barillon@contrastsecurity.com", - "name": "Thibault Barillon" + "handle": "harsha.nagendra@contrastsecurity.com", + "name": "Harsha Nagendra" } } \ No newline at end of file diff --git a/contrast_security_adr/assets/security/exploited_attack_event_received_from_contrast_adr_in_production.json b/contrast_security_adr/assets/security/exploited_attack_event_received_from_contrast_adr_in_production.json index 1e3dc1ed85..4ba36dc04b 100644 --- a/contrast_security_adr/assets/security/exploited_attack_event_received_from_contrast_adr_in_production.json +++ b/contrast_security_adr/assets/security/exploited_attack_event_received_from_contrast_adr_in_production.json @@ -1,10 +1,11 @@ { "name": "Exploited attack event received from Contrast ADR in production", - "partnerRuleId": "ext-00q-ds5", + "partnerRuleId": "ext-00u-wbm", "message": "### Summary:\n{{@evt.outcome}} {{@rule}} from {{@source}} using {{@request.method}} on {{@url}} endpoint of {{@application.name}}\n\n### Actions:\n\n View recommended actions at https://contrastsecurity.dev/adr-runbooks/runbooks/{{@rule}}\n\nView in Contrast Security ADR: {{@uiUrl}}\n", - "createdAt": 1747809240984, + "customName": "Exploited attack event received from Contrast ADR in production Partner", + "createdAt": 1756412539694, "isDefault": false, - "isPartner": false, + "isPartner": true, "isBeta": false, "isDeleted": false, "isDeprecated": false, @@ -35,28 +36,33 @@ "condition": "a > 0" } ], - "tags": [], + "tags": [ + "source:contrast-security-adr" + ], "hasExtendedTitle": true, "type": "log_detection", "filters": [], - "version": 10, - "id": "fa5-t5j-cdb", - "updatedAt": 1758182776144, + "defaultTags": [ + "source:contrast-security-adr" + ], + "version": 11, + "id": "ext-00s-qxr", + "updatedAt": 1764680591982, "blocking": false, + "partnerIntegrationId": "contrast-security-adr", "metadata": { "entities": [], "sources": [ "contrast-security-adr" ] }, - "creationAuthorId": 22452697, - "updateAuthorId": 21357583, + "updateAuthorId": 63957669, "creator": { - "handle": "pragati.gupta@contrastsecurity.com", - "name": "Pragati Gupta" + "handle": "", + "name": "" }, "updater": { - "handle": "thibault.barillon@contrastsecurity.com", - "name": "Thibault Barillon" + "handle": "deepak.gopal@contrastsecurity.com", + "name": "Deepak Gopal" } } \ No newline at end of file diff --git a/contrast_security_adr/assets/security/incident_event_received_from_contrast_adr.json b/contrast_security_adr/assets/security/incident_event_received_from_contrast_adr.json index a0a99b192b..a8e38c5e54 100644 --- a/contrast_security_adr/assets/security/incident_event_received_from_contrast_adr.json +++ b/contrast_security_adr/assets/security/incident_event_received_from_contrast_adr.json @@ -1,7 +1,7 @@ { "name": "Incident event received from Contrast ADR", - "partnerRuleId": "ext-00f-5uk", - "message": "### Summary:\n### sub-query/drill-down searches:\nsource=\"Contrast\" AND organizationId = {{@organizationUuid}} AND incidentId = {{@incidentId}}\n### Actions:\nView recommended runbook at {{@recommendedRunbooks}}\nView in Contrast Security ADR: {{@url}}\n", + "partnerRuleId": "ext-00e-mur", + "message": "### Summary:\n\n{{@summary}}\n\n### Actions:\nView recommended runbook at {{@recommendedRunbooks}}\nView in Contrast Security ADR: {{@url}}\n", "createdAt": 1747811769280, "isDefault": false, "isPartner": false, @@ -22,7 +22,7 @@ } ], "options": { - "evaluationWindow": 900, + "evaluationWindow": 300, "detectionMethod": "threshold", "maxSignalDuration": 86400, "keepAlive": 3600 @@ -39,9 +39,9 @@ "hasExtendedTitle": true, "type": "log_detection", "filters": [], - "version": 11, + "version": 21, "id": "2bn-ro5-p8h", - "updatedAt": 1758182775207, + "updatedAt": 1764678412990, "blocking": false, "metadata": { "entities": [], @@ -50,13 +50,13 @@ ] }, "creationAuthorId": 22452697, - "updateAuthorId": 21357583, + "updateAuthorId": 64082222, "creator": { "handle": "pragati.gupta@contrastsecurity.com", "name": "Pragati Gupta" }, "updater": { - "handle": "thibault.barillon@contrastsecurity.com", - "name": "Thibault Barillon" + "handle": "harsha.nagendra@contrastsecurity.com", + "name": "Harsha Nagendra" } } \ No newline at end of file From c08c518fad2611fa4df76a484e8748608f65af8e Mon Sep 17 00:00:00 2001 From: london-wharton Date: Thu, 4 Dec 2025 16:02:07 -0500 Subject: [PATCH 3/8] fix logs test file --- .../logs/contrast-security-adr_tests.yaml | 132 +++++++++--------- 1 file changed, 65 insertions(+), 67 deletions(-) diff --git a/contrast_security_adr/assets/logs/contrast-security-adr_tests.yaml b/contrast_security_adr/assets/logs/contrast-security-adr_tests.yaml index dc96cf7381..5cd6a71c57 100644 --- a/contrast_security_adr/assets/logs/contrast-security-adr_tests.yaml +++ b/contrast_security_adr/assets/logs/contrast-security-adr_tests.yaml @@ -1,4 +1,4 @@ -id: contrast-security-adr +id: "contrast-security-adr" tests: - sample: |- @@ -198,15 +198,72 @@ tests: className: "org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain" type: "frameCommon" lineNumber: 137 + contrast_adr: + incident_id: "INC-2025-c51" + date: "1764161753000" detectedTime: "1764161753000" environment: "production" eventUuid: "1678918a-103f-4030-a416-3b8766e47e19" + evt: + name: "sql-injection" + outcome: "BLOCKED" host: hostname: "bb8989bc" isDocker: true operatingSystem: "Linux 6.10.14-linuxkit aarch64" runtimePath: "/opt/java/openjdk/bin/java" runtimeVersion: "OpenJDK Runtime Environment 17.0.14+7" + http: + method: "GET" + referer: + - "http://localhost:8080/customers/find" + request: + headers: + Cookie: + - "JSESSIONID=EB2C548D2789AEFB92E843E958D2410E" + accept: + - "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" + accept-encoding: + - "gzip, deflate, br, zstd" + accept-language: + - "en-GB,en-US;q=0.9,en;q=0.8" + connection: + - "keep-alive" + host: + - "localhost:8080" + referer: + - "http://localhost:8080/customers/find" + sec-ch-ua: + - "\"Chromium\";v=\"136\", \"Google Chrome\";v=\"136\", \"Not.A/Brand\";v=\"99\"" + sec-ch-ua-mobile: + - "?0" + sec-ch-ua-platform: + - "\"macOS\"" + sec-fetch-dest: + - "document" + sec-fetch-mode: + - "navigate" + sec-fetch-site: + - "same-origin" + sec-fetch-user: + - "?1" + upgrade-insecure-requests: + - "1" + user-agent: + - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36" + url_details: + host: + - "localhost:8080" + path: + path: "/api/v4/organizations/203ae021-7e10-4356-ad6e-0c4b94d8511e/applications/08f46d44-b7da-4978-b903-fcce249f457a/attack-events/1678918a-103f-4030-a416-3b8766e47e19" + queryString: "lastName=contrast-redacted-name" + scheme: "http" + user-agent: + - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36" + useragent_details: + os: + family: "Linux 6.10.14-linuxkit aarch64" + version: "1.1" incident_id: "INC-2025-c51" mitreTactics: - @@ -227,6 +284,10 @@ tests: - id: "TA0010" url: "https://attack.mitre.org/tactics/TA0010/" + network: + host: + ip: "7.7.7.7.7.10" + name: "bb8989bc" organizationUuid: "203ae021-7e10-4356-ad6e-0c4b94d8511e" productName: "ContrastADR" request: @@ -285,6 +346,7 @@ tests: vectorFields: query: "SELECT DISTINCT * FROM customers WHERE customers.last_name LIKE '%' or 1=1; # antwerp%'" ruleUuid: "sql-injection" + version: "6.14.0" message: |- { "severity" : "critical", @@ -424,71 +486,7 @@ tests: "agentVersion" : "6.14.0", "uiUrl" : "https://teamserver-scantest.contsec.com/Contrast/static/ng/index.html#/203ae021-7e10-4356-ad6e-0c4b94d8511e/attack-events/1678918a-103f-4030-a416-3b8766e47e19?groupBy=&dateRange-type=CUSTOM_DATE_RANGE&dateRange-startDate=1747217573585&dateRange-endDate=1747217693585&applicationId=08f46d44-b7da-4978-b903-fcce249f457a" } + status: "critical" tags: - "source:LOGS_SOURCE" - - - sample: |- - { - "severity" : "Critical", - "summary" : " observed the following suspicious value accessing the application through the HTTP Request Parameter query cat /etc/passwd", - "alertType" : "incident_created", - "alertReason" : "Incident Created", - "source" : "security", - "eventType" : "incidentalert", - "recommendedRunbooks" : [ "https://dev/adr-runbooks/runbooks/path-traversal/" ], - "url" : "https://apptwo.com/cs/index.html#/0f767995-4882-4c7c-889f-994d945ff0d5/incidents/INC-2025-6", - "relatedRules" : [ "path-traversal" ], - "score" : 9.3, - "organizationUuid" : "0f767995-4882-4c7c-889f-994d945ff0d5", - "createdTime" : "2025-10-08T12:22:23.0000Z", - "recommendedActions" : [ "We did not block this attack because blocking was not enabled for DM-ADR-Web-Application in Production.", "Add an exclusion for this attack event." ], - "incidentId" : "INC-2025-c11", - "incidentName" : "Path Traversal on \"/postjsoncmd\"", - "status" : "Open", - "timestamp" : "2025-10-08T12:08:22.0000Z" - } - result: - custom: - alertReason: "Incident Created" - alertType: "incident_created" - createdTime: "2025-10-08T12:22:23.0000Z" - eventType: "incidentalert" - incidentId: "INC-2025-c11" - incidentName: "Path Traversal on \"/postjsoncmd\"" - organizationUuid: "0f767995-4882-4c7c-889f-994d945ff0d5" - recommendedActions: - - "We did not block this attack because blocking was not enabled for DM-ADR-Web-Application in Production." - - "Add an exclusion for this attack event." - recommendedRunbooks: - - "https://dev/adr-runbooks/runbooks/path-traversal/" - relatedRules: - - "path-traversal" - score: 9.3 - severity: "Critical" - source: "security" - status: "Open" - summary: " observed the following suspicious value accessing the application through the HTTP Request Parameter query cat /etc/passwd" - timestamp: "2025-10-08T12:08:22.0000Z" - url: "https://apptwo.com/cs/index.html#/0f767995-4882-4c7c-889f-994d945ff0d5/incidents/INC-2025-6" - message: |- - { - "severity" : "Critical", - "summary" : " observed the following suspicious value accessing the application through the HTTP Request Parameter query cat /etc/passwd", - "alertType" : "incident_created", - "alertReason" : "Incident Created", - "source" : "security", - "eventType" : "incidentalert", - "recommendedRunbooks" : [ "https://dev/adr-runbooks/runbooks/path-traversal/" ], - "url" : "https://apptwo.com/cs/index.html#/0f767995-4882-4c7c-889f-994d945ff0d5/incidents/INC-2025-6", - "relatedRules" : [ "path-traversal" ], - "score" : 9.3, - "organizationUuid" : "0f767995-4882-4c7c-889f-994d945ff0d5", - "createdTime" : "2025-10-08T12:22:23.0000Z", - "recommendedActions" : [ "We did not block this attack because blocking was not enabled for DM-ADR-Web-Application in Production.", "Add an exclusion for this attack event." ], - "incidentId" : "INC-2025-c11", - "incidentName" : "Path Traversal on \"/postjsoncmd\"", - "status" : "Open", - "timestamp" : "2025-10-08T12:08:22.0000Z" - } - tags: - - "source:LOGS_SOURCE" + timestamp: 1 From 3acff6ef537652fc97afdd4b125c3643985ebe95 Mon Sep 17 00:00:00 2001 From: london-wharton Date: Thu, 4 Dec 2025 16:02:46 -0500 Subject: [PATCH 4/8] update partnerRuleId --- .../confirmed_dlp_event_received_from_contrast_adr.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/contrast_security_adr/assets/security/confirmed_dlp_event_received_from_contrast_adr.json b/contrast_security_adr/assets/security/confirmed_dlp_event_received_from_contrast_adr.json index bd372c4f1d..b0ff789843 100644 --- a/contrast_security_adr/assets/security/confirmed_dlp_event_received_from_contrast_adr.json +++ b/contrast_security_adr/assets/security/confirmed_dlp_event_received_from_contrast_adr.json @@ -1,6 +1,6 @@ { "name": "Confirmed DLP event received from Contrast ADR", - "partnerRuleId": "ext-00k-owy", + "partnerRuleId": "ext-00w-f8n", "message": "### Summary:\n\nConfirmed active SQL Injection by Contrast ADR on {{@url}} endpoint of {{@application.name}}\n \n### Actions:\n\n View recommended actions at https://contrastsecurity.dev/adr-runbooks/runbooks/{{@rule}}\n\nView in Contrast Security ADR: {{@uiUrl}}", "createdAt": 1749466228666, "isDefault": false, @@ -71,4 +71,4 @@ "handle": "harsha.nagendra@contrastsecurity.com", "name": "Harsha Nagendra" } -} \ No newline at end of file +} From e0db5ba1a56ae9473451bd64953a1f02fcd74bec Mon Sep 17 00:00:00 2001 From: london-wharton Date: Thu, 4 Dec 2025 16:03:12 -0500 Subject: [PATCH 5/8] update partnerRuleId --- .../confirmed_waf_alert_received_from_contrast_adr.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/contrast_security_adr/assets/security/confirmed_waf_alert_received_from_contrast_adr.json b/contrast_security_adr/assets/security/confirmed_waf_alert_received_from_contrast_adr.json index 8166f820d1..cfcbf3edc3 100644 --- a/contrast_security_adr/assets/security/confirmed_waf_alert_received_from_contrast_adr.json +++ b/contrast_security_adr/assets/security/confirmed_waf_alert_received_from_contrast_adr.json @@ -1,6 +1,6 @@ { "name": "Confirmed WAF alert received from Contrast ADR", - "partnerRuleId": "ext-00p-qi7", + "partnerRuleId": "ext-00g-gwc", "message": "### Summary:\nWAF Alert Confirmed {{@result}} by Contrast ADR on {{@url}} endpoint of {{@application.name}}\n \n### Actions:\n\n View recommended actions at https://contrastsecurity.dev/adr-runbooks/runbooks/{{@rule}}\n\nView in Contrast Security ADR: {{@uiUrl}}", "createdAt": 1747814166967, "isDefault": false, @@ -71,4 +71,4 @@ "handle": "harsha.nagendra@contrastsecurity.com", "name": "Harsha Nagendra" } -} \ No newline at end of file +} From d853f18ebd6444543a82ce73b0fe68e21e69b9ae Mon Sep 17 00:00:00 2001 From: london-wharton Date: Thu, 4 Dec 2025 16:03:30 -0500 Subject: [PATCH 6/8] Update exploited_attack_event_received_from_contrast_adr_.json --- .../exploited_attack_event_received_from_contrast_adr_.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/contrast_security_adr/assets/security/exploited_attack_event_received_from_contrast_adr_.json b/contrast_security_adr/assets/security/exploited_attack_event_received_from_contrast_adr_.json index 05c935bebf..95689f17aa 100644 --- a/contrast_security_adr/assets/security/exploited_attack_event_received_from_contrast_adr_.json +++ b/contrast_security_adr/assets/security/exploited_attack_event_received_from_contrast_adr_.json @@ -1,6 +1,6 @@ { "name": "Exploited attack event received from Contrast ADR ", - "partnerRuleId": "ext-00h-brz", + "partnerRuleId": "ext-00r-ric", "message": "### Summary:\n{{@evt.outcome}} {{@rule}} from {{@source}} using {{@request.method}} on {{@url}} endpoint of {{@application.name}}\n\n### Actions:\n\n View recommended actions at https://contrastsecurity.dev/adr-runbooks/runbooks/{{@rule}}\n\nView in Contrast Security ADR: {{@uiUrl}}\n", "createdAt": 1747806810257, "isDefault": false, @@ -57,4 +57,4 @@ "handle": "harsha.nagendra@contrastsecurity.com", "name": "Harsha Nagendra" } -} \ No newline at end of file +} From 6680041f835afec0abac872ccb221786baf1e1c7 Mon Sep 17 00:00:00 2001 From: london-wharton Date: Thu, 4 Dec 2025 16:03:45 -0500 Subject: [PATCH 7/8] Update exploited_attack_event_received_from_contrast_adr_in_production.json --- ...attack_event_received_from_contrast_adr_in_production.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/contrast_security_adr/assets/security/exploited_attack_event_received_from_contrast_adr_in_production.json b/contrast_security_adr/assets/security/exploited_attack_event_received_from_contrast_adr_in_production.json index 4ba36dc04b..e5038d6273 100644 --- a/contrast_security_adr/assets/security/exploited_attack_event_received_from_contrast_adr_in_production.json +++ b/contrast_security_adr/assets/security/exploited_attack_event_received_from_contrast_adr_in_production.json @@ -1,6 +1,6 @@ { "name": "Exploited attack event received from Contrast ADR in production", - "partnerRuleId": "ext-00u-wbm", + "partnerRuleId": "ext-00s-qxr", "message": "### Summary:\n{{@evt.outcome}} {{@rule}} from {{@source}} using {{@request.method}} on {{@url}} endpoint of {{@application.name}}\n\n### Actions:\n\n View recommended actions at https://contrastsecurity.dev/adr-runbooks/runbooks/{{@rule}}\n\nView in Contrast Security ADR: {{@uiUrl}}\n", "customName": "Exploited attack event received from Contrast ADR in production Partner", "createdAt": 1756412539694, @@ -65,4 +65,4 @@ "handle": "deepak.gopal@contrastsecurity.com", "name": "Deepak Gopal" } -} \ No newline at end of file +} From 436a4c7390965986312f01399901421f769b11c6 Mon Sep 17 00:00:00 2001 From: london-wharton Date: Thu, 4 Dec 2025 16:04:03 -0500 Subject: [PATCH 8/8] Update incident_event_received_from_contrast_adr.json --- .../security/incident_event_received_from_contrast_adr.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/contrast_security_adr/assets/security/incident_event_received_from_contrast_adr.json b/contrast_security_adr/assets/security/incident_event_received_from_contrast_adr.json index a8e38c5e54..cce94ac242 100644 --- a/contrast_security_adr/assets/security/incident_event_received_from_contrast_adr.json +++ b/contrast_security_adr/assets/security/incident_event_received_from_contrast_adr.json @@ -1,6 +1,6 @@ { "name": "Incident event received from Contrast ADR", - "partnerRuleId": "ext-00e-mur", + "partnerRuleId": "ext-00o-ysa", "message": "### Summary:\n\n{{@summary}}\n\n### Actions:\nView recommended runbook at {{@recommendedRunbooks}}\nView in Contrast Security ADR: {{@url}}\n", "createdAt": 1747811769280, "isDefault": false, @@ -59,4 +59,4 @@ "handle": "harsha.nagendra@contrastsecurity.com", "name": "Harsha Nagendra" } -} \ No newline at end of file +}