CYFIRMA - High Severity Asset based Vulnerabilities Rule Alert
| Id | 123fad02-6d9e-439e-8241-7a2fffa7e0a5 |
| Rulename | CYFIRMA - High Severity Asset based Vulnerabilities Rule Alert |
| Description | “This rule detects high severity asset-based vulnerabilities from CYFIRMA’s vulnerability intelligence data. It identifies vulnerabilities with a confidence score of 80 or higher, excluding those categorized as ‘ATTACK_SURFACE_VULNERABILITY’, and generates alerts for assets that may be at risk.” |
| Severity | High |
| Tactics | Execution LateralMovement PrivilegeEscalation InitialAccess CredentialAccess DefenseEvasion |
| Techniques | T1059 T1203 T1210 T1068 T1190 T1133 T1003 T1553 T1548.002 T1021.002 |
| Required data connectors | CyfirmaVulnerabilitiesIntelDC |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | GreaterThan |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Vulnerabilities Intel/Analytic Rules/AssetVulnerabilitiesHighSeverityRule.yaml |
| Version | 1.0.0 |
| Arm template | 123fad02-6d9e-439e-8241-7a2fffa7e0a5.json |
// High severity - Asset based Vulnerabilities
let timeFrame = 5m;
CyfirmaVulnerabilities_CL
| extend parsed = parse_json(extensions)
| extend extensionKeys = bag_keys(parsed)
| mv-expand extensionKeys
| extend extensionKeyStr = tostring(extensionKeys)
| extend ext = parsed[extensionKeyStr]
| extend props = ext.properties
| extend
attack_complexity = tostring(props.attack_complexity),
cvss_score = toreal(props.cvss_score),
integrity_impact = tostring(props.integrity_impact),
impact_score = tostring(props.impact_score),
attack_vector = tostring(props.attack_vector),
privileges_required = tostring(props.privileges_required),
cvss_version = tostring(props.cvss_version),
user_interaction = tostring(props.user_interaction),
cvss_vector = tostring(props.cvss_vector),
scope = tostring(props.scope),
confidentiality_impact = tostring(props.confidentiality_impact),
exploitability_score = toreal(props.exploitability_score),
products = tostring(props.products),
technologies = tostring(props.technologies),
vendors = tostring(props.vendors),
confidence_score = toint(confidence),
servers = tostring(props.servers),
vulnerability_type = tostring(props.vulnerability_type),
vulnerability_category = tostring(props.vulnerability_category),
NetworkIPs = tostring(props.ips),
ProviderName ='CYFIRMA',
ProductName ='DeCYFIR/DeTCT'
| summarize arg_max(
integrity_impact,
TimeGenerated,
id,
description,
confidence_score,
created,
modified,
attack_complexity,
cvss_score,
impact_score,
attack_vector,
privileges_required,
cvss_version,
user_interaction,
cvss_vector,
scope,
confidentiality_impact,
exploitability_score,
products,
technologies,
vendors,
ProviderName,
ProductName,
servers,
NetworkIPs,
vulnerability_type,
vulnerability_category
)
by name
| where confidence_score >= 80 and vulnerability_category != 'ATTACK_SURFACE_VULNERABILITY' and TimeGenerated between (ago(timeFrame) .. now())
| project
TimeGenerated,
name,
confidence_score,
integrity_impact,
attack_complexity,
cvss_score,
impact_score,
attack_vector,
UID = id,
description,
created,
modified,
privileges_required,
cvss_version,
user_interaction,
cvss_vector,
scope,
confidentiality_impact,
exploitability_score,
products,
technologies,
vendors,
ProviderName,
ProductName,
servers,
NetworkIPs,
vulnerability_type,
vulnerability_category
tactics:
- Execution
- LateralMovement
- PrivilegeEscalation
- InitialAccess
- CredentialAccess
- DefenseEvasion
enabled: false
id: 123fad02-6d9e-439e-8241-7a2fffa7e0a5
requiredDataConnectors:
- connectorId: CyfirmaVulnerabilitiesIntelDC
dataTypes:
- CyfirmaVulnerabilities_CL
query: |
// High severity - Asset based Vulnerabilities
let timeFrame = 5m;
CyfirmaVulnerabilities_CL
| extend parsed = parse_json(extensions)
| extend extensionKeys = bag_keys(parsed)
| mv-expand extensionKeys
| extend extensionKeyStr = tostring(extensionKeys)
| extend ext = parsed[extensionKeyStr]
| extend props = ext.properties
| extend
attack_complexity = tostring(props.attack_complexity),
cvss_score = toreal(props.cvss_score),
integrity_impact = tostring(props.integrity_impact),
impact_score = tostring(props.impact_score),
attack_vector = tostring(props.attack_vector),
privileges_required = tostring(props.privileges_required),
cvss_version = tostring(props.cvss_version),
user_interaction = tostring(props.user_interaction),
cvss_vector = tostring(props.cvss_vector),
scope = tostring(props.scope),
confidentiality_impact = tostring(props.confidentiality_impact),
exploitability_score = toreal(props.exploitability_score),
products = tostring(props.products),
technologies = tostring(props.technologies),
vendors = tostring(props.vendors),
confidence_score = toint(confidence),
servers = tostring(props.servers),
vulnerability_type = tostring(props.vulnerability_type),
vulnerability_category = tostring(props.vulnerability_category),
NetworkIPs = tostring(props.ips),
ProviderName ='CYFIRMA',
ProductName ='DeCYFIR/DeTCT'
| summarize arg_max(
integrity_impact,
TimeGenerated,
id,
description,
confidence_score,
created,
modified,
attack_complexity,
cvss_score,
impact_score,
attack_vector,
privileges_required,
cvss_version,
user_interaction,
cvss_vector,
scope,
confidentiality_impact,
exploitability_score,
products,
technologies,
vendors,
ProviderName,
ProductName,
servers,
NetworkIPs,
vulnerability_type,
vulnerability_category
)
by name
| where confidence_score >= 80 and vulnerability_category != 'ATTACK_SURFACE_VULNERABILITY' and TimeGenerated between (ago(timeFrame) .. now())
| project
TimeGenerated,
name,
confidence_score,
integrity_impact,
attack_complexity,
cvss_score,
impact_score,
attack_vector,
UID = id,
description,
created,
modified,
privileges_required,
cvss_version,
user_interaction,
cvss_vector,
scope,
confidentiality_impact,
exploitability_score,
products,
technologies,
vendors,
ProviderName,
ProductName,
servers,
NetworkIPs,
vulnerability_type,
vulnerability_category
eventGroupingSettings:
aggregationKind: AlertPerResult
relevantTechniques:
- T1059
- T1203
- T1210
- T1068
- T1190
- T1133
- T1003
- T1553
- T1548.002
- T1021.002
name: CYFIRMA - High Severity Asset based Vulnerabilities Rule Alert
description: |
"This rule detects high severity asset-based vulnerabilities from CYFIRMA's vulnerability intelligence data.
It identifies vulnerabilities with a confidence score of 80 or higher, excluding those categorized as 'ATTACK_SURFACE_VULNERABILITY', and generates alerts for assets that may be at risk."
triggerOperator: GreaterThan
queryPeriod: 5m
suppressionDuration: 5m
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Vulnerabilities Intel/Analytic Rules/AssetVulnerabilitiesHighSeverityRule.yaml
version: 1.0.0
alertDetailsOverride:
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: ProviderName
value: ProviderName
alertDisplayNameFormat: 'CYFIRMA - High Severity Asset based Vulnerability Identified - {{name}} '
alertDescriptionFormat: '{{description}} '
triggerThreshold: 0
suppressionEnabled: false
queryFrequency: 5m
kind: Scheduled
incidentConfiguration:
createIncident: true
groupingConfiguration:
matchingMethod: AllEntities
reopenClosedIncident: false
lookbackDuration: 5m
enabled: false
customDetails:
Modified: modified
PrivilegesRequired: privileges_required
ConfidenceScore: confidence_score
TimeGenerated: TimeGenerated
CVSSVersion: cvss_version
CVSSScore: cvss_score
ImpactScore: impact_score
AttackVector: attack_vector
scope: scope
AttackComplexity: attack_complexity
Technologies: technologies
CVE: name
ExploitabilityScore: exploitability_score
Products: products
IntegrityImpact: integrity_impact
ConfidentialImpact: confidentiality_impact
Vendors: vendors
CVSSVector: cvss_vector
UserInteraction: user_interaction
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/123fad02-6d9e-439e-8241-7a2fffa7e0a5')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/123fad02-6d9e-439e-8241-7a2fffa7e0a5')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{description}} ",
"alertDisplayNameFormat": "CYFIRMA - High Severity Asset based Vulnerability Identified - {{name}} ",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "123fad02-6d9e-439e-8241-7a2fffa7e0a5",
"customDetails": {
"AttackComplexity": "attack_complexity",
"AttackVector": "attack_vector",
"ConfidenceScore": "confidence_score",
"ConfidentialImpact": "confidentiality_impact",
"CVE": "name",
"CVSSScore": "cvss_score",
"CVSSVector": "cvss_vector",
"CVSSVersion": "cvss_version",
"ExploitabilityScore": "exploitability_score",
"ImpactScore": "impact_score",
"IntegrityImpact": "integrity_impact",
"Modified": "modified",
"PrivilegesRequired": "privileges_required",
"Products": "products",
"scope": "scope",
"Technologies": "technologies",
"TimeGenerated": "TimeGenerated",
"UserInteraction": "user_interaction",
"Vendors": "vendors"
},
"description": "\"This rule detects high severity asset-based vulnerabilities from CYFIRMA's vulnerability intelligence data. \nIt identifies vulnerabilities with a confidence score of 80 or higher, excluding those categorized as 'ATTACK_SURFACE_VULNERABILITY', and generates alerts for assets that may be at risk.\"\n",
"displayName": "CYFIRMA - High Severity Asset based Vulnerabilities Rule Alert",
"enabled": false,
"entityMappings": null,
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5M",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Vulnerabilities Intel/Analytic Rules/AssetVulnerabilitiesHighSeverityRule.yaml",
"query": "// High severity - Asset based Vulnerabilities\nlet timeFrame = 5m;\nCyfirmaVulnerabilities_CL\n| extend parsed = parse_json(extensions)\n| extend extensionKeys = bag_keys(parsed)\n| mv-expand extensionKeys\n| extend extensionKeyStr = tostring(extensionKeys)\n| extend ext = parsed[extensionKeyStr]\n| extend props = ext.properties\n| extend \n attack_complexity = tostring(props.attack_complexity),\n cvss_score = toreal(props.cvss_score),\n integrity_impact = tostring(props.integrity_impact),\n impact_score = tostring(props.impact_score),\n attack_vector = tostring(props.attack_vector),\n privileges_required = tostring(props.privileges_required),\n cvss_version = tostring(props.cvss_version),\n user_interaction = tostring(props.user_interaction),\n cvss_vector = tostring(props.cvss_vector),\n scope = tostring(props.scope),\n confidentiality_impact = tostring(props.confidentiality_impact),\n exploitability_score = toreal(props.exploitability_score),\n products = tostring(props.products),\n technologies = tostring(props.technologies),\n vendors = tostring(props.vendors),\n confidence_score = toint(confidence),\n servers = tostring(props.servers),\n vulnerability_type = tostring(props.vulnerability_type),\n vulnerability_category = tostring(props.vulnerability_category),\n NetworkIPs = tostring(props.ips),\n ProviderName ='CYFIRMA',\n ProductName ='DeCYFIR/DeTCT'\n| summarize arg_max(\n integrity_impact,\n TimeGenerated, \n id,\n description,\n confidence_score,\n created,\n modified,\n attack_complexity,\n cvss_score,\n impact_score,\n attack_vector,\n privileges_required,\n cvss_version,\n user_interaction,\n cvss_vector,\n scope,\n confidentiality_impact,\n exploitability_score,\n products,\n technologies,\n vendors,\n ProviderName,\n ProductName,\n servers,\n NetworkIPs,\n vulnerability_type,\n vulnerability_category\n )\n by name\n| where confidence_score >= 80 and vulnerability_category != 'ATTACK_SURFACE_VULNERABILITY' and TimeGenerated between (ago(timeFrame) .. now())\n| project \n TimeGenerated,\n name,\n confidence_score,\n integrity_impact,\n attack_complexity,\n cvss_score,\n impact_score,\n attack_vector,\n UID = id,\n description,\n created,\n modified,\n privileges_required,\n cvss_version,\n user_interaction,\n cvss_vector,\n scope,\n confidentiality_impact,\n exploitability_score,\n products,\n technologies,\n vendors,\n ProviderName,\n ProductName,\n servers,\n NetworkIPs,\n vulnerability_type,\n vulnerability_category\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"subTechniques": [
"T1548.002",
"T1021.002"
],
"suppressionDuration": "PT5M",
"suppressionEnabled": false,
"tactics": [
"CredentialAccess",
"DefenseEvasion",
"Execution",
"InitialAccess",
"LateralMovement",
"PrivilegeEscalation"
],
"techniques": [
"T1003",
"T1021",
"T1059",
"T1068",
"T1133",
"T1190",
"T1203",
"T1210",
"T1548",
"T1553"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}