What Changed
Updated field reference in the Contrast ADR Confirmed EDR detection rule from incident_id_s to incidentId_s to match the actual field name in the ContrastADR_CL table. Added both field names to the test schema for validation.
Detection Logic
KQL logic unavailable — YAML not included in diff context.
Security Impact (Visibility & Fidelity)
The incorrect field name caused the detection rule to fail completely when referencing incident correlation data from the ContrastADR_CL table. Queries using incident_id_s would return null values or cause query execution errors, preventing the rule from correlating security events with Contrast application security incidents.
This eliminated detection capability for confirmed application layer attacks detected by Contrast ADR — a critical blind spot for organizations using application security runtime protection.
Affected Files
Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Confirmed_EDR.yaml
.script/tests/KqlvalidationsTests/CustomTables/ContrastADR_CL.json
(packaging artefacts: mainTemplate.json, 3.0.1.zip)