Key fields in ADR alerts
When an ADR alert lands in your SIEM, these are the fields that matter for triage:
Field | Why It Matters | Triage Implication |
Application Name | Identifies the target app | Map to CMDB / owner lookup |
Environment | Prod vs. staging vs. dev | Prod = immediate triage. Dev = lower priority |
Vulnerability Type | e.g., SQL Injection, Path Traversal, RCE | Drives severity: RCE >> XSS in most contexts |
Severity | ADR-assigned severity (Critical/High/Med/Low) | Map to your SOC SLA tiers |
Exploit Status | Detected (monitored) vs. Blocked | Blocked = confirmed threat, but contained. Detected = potentially still exploitable |
Source IP | Attacker’s origin | Correlate with threat intel, other alerts from the same IP |
Request URI / Route | Which endpoint was targeted | Identifies attack surface |
Function / Class | Exact code location being exploited | Unique to ADR — share with AppSec/Eng for remediation |
Input Value | The malicious payload | Evidence for investigation; share cautiously |
MITRE Tactics | Pre-mapped ATT&CK tactics for the attack | Immediate context for analysts — no manual mapping required |
Application Owner | Who owns this app | Your escalation target |