Attack timeline
Phase | What ADR sees | What DLP sees | Combined picture |
Exploit | SQL injection in application. Payload: ' | Nothing yet | ADR identifies the root cause and attack vector |
Data Access | ADR detects the injected query executed against the database | DLP detects anomalous data access: sensitive columns accessed, unusual volume returned | ADR explains how (injection) + DLP confirms what was accessed |
Exfiltration | ADR provides the injection context and the exploited function | DLP detects sensitive data patterns (PII, credentials) leaving the network | Full chain: injection → data access → exfiltration confirmed |
Correlation logic: ADR exploit event joined with DLP alert on the same target hostname within a 1-hour window. The wider time window accounts for the delay between the injection and DLP detecting the resulting data movement.