Skip to main content

Response playbook

Immediate: Enable Block Mode for SQL injection on the affected application

Open both the ADR console link and DLP alert — confirm the correlation is valid (same app, same timeframe)

Assess breach scope using DLP data: which tables, which columns, how many records

Preserve evidence: ADR logs (attack vector + payload) + DLP logs (data accessed + volume)

Notify Legal/Compliance with the precise scope — you have the root cause (ADR) and the impact (DLP)

Escalate to AppSec: provide the exact function, the reconstructed query (from vectorAnalysis.query ), and the endpoint for emergency fix

Search SIEM for the same source IP targeting other applications

Flag affected database tables for enhanced DLP monitoring

In this section:

Was this helpful?

Would you like to provide feedback? Just click here to suggest edits.