Contrast ADR: CCF Connector Deployment Unlocks Application Attack Visibility

What Changed

Contrast ADR v3.1.0 introduces CCF (Codeless Connector Framework) ingestion alongside the existing Function App connector, standardizing data collection for application attack detection. The solution now supports dual ingestion mechanisms with normalized table schemas.

Data Connector Evolution

New CCF Implementation:

DCR-based ingestion targeting ContrastADRAttackEvents_CL and ContrastADRIncidents_CL tables
JSON polling configuration with configurable endpoints and authentication
Standardized field mapping eliminating legacy _s suffix conventions

Schema Standardization:

ContrastADR_CL → ContrastADRAttackEvents_CL (attack events)
ContrastADRIncident_CL → ContrastADRIncidents_CL (incident correlation)
Field names normalized: result_s → result, rule_s → rule, SourceIP → sourceIp

Detection Logic Updates

All 6 Analytic Rules updated to reference new table schemas and field names:

Primary data source: ContrastADRAttackEvents_CL and ContrastADRIncidents_CL tables
Core logic: Joins attack events with incident context on incidentId; filters on attack rules including command injection, JNDI injection, XXE, and deserialization
Entity types mapped: Host (hostname), IP (sourceIp)

MITRE Mapping

Maintains existing coverage for application attack techniques:

T1008: Fallback Channels (application communication abuse)
T1018: Remote System Discovery
T1021: Remote Services exploitation
T1046: Network Service Scanning
T1190: Exploit Public-Facing Application (primary focus)
T1210: Exploitation of Remote Services
T1211: Exploitation for Defense Evasion

Security Impact (Visibility & Fidelity)

Enhanced Deployment Options: Organizations can now deploy Contrast ADR via CCF without Function App infrastructure requirements, reducing deployment complexity for application attack monitoring.

Data Consistency: Schema normalization eliminates field mapping inconsistencies between ingestion methods — queries targeting the new table schemas work uniformly regardless of connector choice.

Workbook Enhancement: Six specialized workbooks (Command Injection, JNDI Injection, Path Traversal, SQL Injection, Untrusted Deserialization, XXE) updated with additional correlation panels for improved attack pattern analysis.

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/ContrastADRAttackEvents_CL.json
.script/tests/KqlvalidationsTests/CustomTables/ContrastADRIncident_CL.json
.script/tests/KqlvalidationsTests/CustomTables/ContrastADRIncidents_CL.json
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Sample Data/Custom/ContrastADRAttackEvents_CL.csv
Sample Data/Custom/ContrastADRIncidents_CL.csv
Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Confirmed_EDR.yaml
Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Confirmed_WAF.yaml
Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event.yaml
Solutions/ContrastADR/Analytic Rules/Contrast_ADR_Exploited_Attack_Event_in_Production.yaml
Solutions/ContrastADR/Analytic Rules/Contrast_ADR_SQL_Injection_Alert_with_DLP_alerts.yaml
Solutions/ContrastADR/Analytic Rules/Contrast_Security_ADR_incident.yaml
Solutions/ContrastADR/Data Connectors/AzureFunctionContrastADR/function_app.py
Solutions/ContrastADR/Data Connectors/ContrastADRCCF/DCR.json
Solutions/ContrastADR/Data Connectors/ContrastADRCCF/connectorDefinition.json
Solutions/ContrastADR/Data Connectors/ContrastADRCCF/dataConnector.json
Solutions/ContrastADR/Data Connectors/ContrastADRCCF/table_attackevents.json
Solutions/ContrastADR/Data Connectors/ContrastADRCCF/table_incidents.json
Solutions/ContrastADR/Package/testParameters.json
Solutions/ContrastADR/Parsers/Contrast_alert_event_parser.yaml
Solutions/ContrastADR/Parsers/Contrast_incident_parser.yaml
Solutions/ContrastADR/Workbooks/ContrastADR_Command_Injection_Workbook.json
Solutions/ContrastADR/Workbooks/ContrastADR_JNDI_Injection_Workbook.json
Solutions/ContrastADR/Workbooks/ContrastADR_Path_Traversal_Workbook.json
Solutions/ContrastADR/Workbooks/ContrastADR_SQL_Injection_Workbook.json
Solutions/ContrastADR/Workbooks/ContrastADR_Untrusted_Deserialization_Workbook.json
Solutions/ContrastADR/Workbooks/ContrastADR_XML External_Entity_Injection_Injection_Workbook.json
Workbooks/WorkbooksMetadata.json
(packaging artefacts: 3.1.0.zip, ReleaseNotes.md, Solution_ContrastADR.json, createUiDefinition.json, mainTemplate.json)

What Changed#

Data Connector Evolution#

Detection Logic Updates#

MITRE Mapping#

Security Impact (Visibility & Fidelity)#

Affected Files#