What Changed
Updated six Contrast ADR analytic rules with refined alert formatting and descriptions:
- EDR correlation alerts simplified for clarity
- WAF confirmation alerts enhanced with endpoint details
- SQL injection detection downgraded from Critical to High severity
- Custom table schema updated to include request_headers_referer_s field
- Removed unused ContrastWAFLogs_CL custom table definition
Detection Logic
KQL logic unavailable — YAML not included in diff context.
Security Impact (Visibility & Fidelity)
The alert description changes improve SOC analyst workflow by providing clearer, more actionable information in incident titles and descriptions. The addition of request_headers_referer_s field to the custom table schema indicates improved data fidelity for tracking attack vectors and referrer-based threat analysis.
The severity downgrade of SQL injection detection from Critical to High may affect alerting thresholds and response priorities — teams should review their severity-based automation rules accordingly.
Affected Files
Analytic rules updated (6 files): Contrast_ADR_Confirmed_EDR.yaml, Contrast_ADR_Confirmed_WAF.yaml, Contrast_ADR_Exploited_Attack_Event.yaml, Contrast_ADR_Exploited_Attack_Event_in_Production.yaml, Contrast_ADR_SQL_Injection_Alert_with_DLP_alerts.yaml, Contrast_Security_ADR_incident.yaml
Custom table definitions updated: ContrastADR_CL.json (field added), ContrastWAFLogs_CL.json (removed)
(packaging artefacts updated: mainTemplate.json, 3.0.0.zip)