What Changed
Contrast ADR CCF connector schema enhanced with three new fields in the attack event table to provide deeper attack context and improved forensic capabilities.
Security Impact (Visibility & Fidelity)
The schema enhancement adds critical application security context that was previously unavailable:
New Fields Added:
- codeLocation (dynamic): Captures file path, method name, and stack trace where attack was detected within application code
- vectorAnalysis (dynamic): Provides call location and vector field analysis for attack pattern identification
- request_parameters (dynamic): Expands HTTP request context beyond existing query string and body capture
Data Fidelity Improvement: Previously deployed Contrast ADR connectors could not capture code-level attack attribution or advanced vector analysis. Queries referencing these fields against older connector versions returned null - this update resolves that data gap for new deployments.
Transform Logic Updates: The DCR transformKql was updated to parse and extract the new JSON fields into normalized columns, including:
- vectorAnalysis_callLocation and vectorAnalysis_vectorFields
- codeLocation_file, codeLocation_method, and codeLocation_stack
- request_parameters for enhanced HTTP request analysis
This change improves attack attribution capabilities by providing precise code-level context for security events, enabling more effective root cause analysis and vulnerability remediation.
Affected Files
Solutions/ContrastADR/Data Connectors/ContrastADRCCF/DCR.json
Solutions/ContrastADR/Data Connectors/ContrastADRCCF/table_attackevents.json
(packaging artefacts: 3.1.1.zip, ReleaseNotes.md, Solution_ContrastADR.json, mainTemplate.json)