The ADR attack event data model
Every Contrast ADR attack event contains these fields. This is what arrives in your SIEM:
Field | What it tells you | Example |
Attack Rule | The vulnerability class exploited | sql-injection, cmd-injection, path-traversal, xxe, jndi-injection |
Result | Did it work? | EXPLOITED (confirmed), BLOCKED (ADR prevented execution), PROBED (attempted, didn’t reach a sink), SUSPICIOUS (anomalous but unconfirmed) |
Severity | How bad | CRITICAL, HIGH, MEDIUM |
Application | Which app was targeted | cargo-cats-dataservice |
Hostname | Which instance/pod | cargo-cats-dataservice-7bd8f7c4d8-lsw8p |
Target URL | Which endpoint | /payments |
Source IP | Where the attack came from | 10.1.1.128 |
MITRE Tactics | Pre-mapped ATT&CK tactics | TA0010 Exfiltration , TA0009 Collection , TA0040 Impact |
Reconstructed Query | The actual query/command after injection | INSERT INTO credit_card ... VALUES ('9999999999999999 ' AND SLEEP(5) ...') |
Environment | Where it’s running | PRODUCTION, DEVELOPMENT |
Console Link | Direct link to the Contrast console for full details | https://app.contrastsecurity.com/... |
1. Result = EXPLOITED — ignore probes and suspicious activity, only alert on confirmed exploitation
2. Environment = PRODUCTION — ignore dev/test noise
3. Severity = CRITICAL or HIGH — focus analyst attention