Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CYFIRMA - High Severity Asset based Vulnerabilities Rule Alert

Back
Id123fad02-6d9e-439e-8241-7a2fffa7e0a5
RulenameCYFIRMA - High Severity Asset based Vulnerabilities Rule Alert
Description“This rule detects high severity asset-based vulnerabilities from CYFIRMA’s vulnerability intelligence data.

It identifies vulnerabilities with a confidence score of 80 or higher, excluding those categorized as ‘ATTACK_SURFACE_VULNERABILITY’, and generates alerts for assets that may be at risk.”
SeverityHigh
TacticsExecution
LateralMovement
PrivilegeEscalation
InitialAccess
CredentialAccess
DefenseEvasion
TechniquesT1059
T1203
T1210
T1068
T1190
T1133
T1003
T1553
T1548.002
T1021.002
Required data connectorsCyfirmaVulnerabilitiesIntelDC
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Vulnerabilities Intel/Analytic Rules/AssetVulnerabilitiesHighSeverityRule.yaml
Version1.0.1
Arm template123fad02-6d9e-439e-8241-7a2fffa7e0a5.json
Deploy To Azure
// High severity - Asset based Vulnerabilities
let timeFrame = 5m;
CyfirmaVulnerabilities_CL
| extend parsed = parse_json(extensions)
| extend extensionKeys = bag_keys(parsed)
| mv-expand extensionKeys
| extend extensionKeyStr = tostring(extensionKeys)
| extend ext = parsed[extensionKeyStr]
| extend props = ext.properties
| extend 
    attack_complexity         = tostring(props.attack_complexity),
    cvss_score                = toreal(props.cvss_score),
    integrity_impact          = tostring(props.integrity_impact),
    impact_score              = tostring(props.impact_score),
    attack_vector             = tostring(props.attack_vector),
    privileges_required       = tostring(props.privileges_required),
    cvss_version              = tostring(props.cvss_version),
    user_interaction          = tostring(props.user_interaction),
    cvss_vector               = tostring(props.cvss_vector),
    scope                     = tostring(props.scope),
    confidentiality_impact    = tostring(props.confidentiality_impact),
    exploitability_score      = toreal(props.exploitability_score),
    products                  = tostring(props.products),
    technologies              = tostring(props.technologies),
    vendors                   = tostring(props.vendors),
    confidence_score          = toint(confidence),
    servers                   = tostring(props.servers),
    vulnerability_type        = tostring(props.vulnerability_type),
    vulnerability_category        = tostring(props.vulnerability_category),
    NetworkIPs                = tostring(props.ips),
    ProviderName              ='CYFIRMA',
    ProductName               ='DeCYFIR/DeTCT'
| summarize arg_max(
                integrity_impact,
                TimeGenerated, 
                id,
                description,
                confidence_score,
                created,
                modified,
                attack_complexity,
                cvss_score,
                impact_score,
                attack_vector,
                privileges_required,
                cvss_version,
                user_interaction,
                cvss_vector,
                scope,
                confidentiality_impact,
                exploitability_score,
                products,
                technologies,
                vendors,
                ProviderName,
                ProductName,
                servers,
                NetworkIPs,
                vulnerability_type,
                vulnerability_category
            )
    by name
| where confidence_score >= 80 and vulnerability_category != 'ATTACK_SURFACE_VULNERABILITY' and TimeGenerated between (ago(timeFrame) .. now())
| project 
    TimeGenerated,
    name,
    confidence_score,
    integrity_impact,
    attack_complexity,
    cvss_score,
    impact_score,
    attack_vector,
    UID = id,
    description,
    created,
    modified,
    privileges_required,
    cvss_version,
    user_interaction,
    cvss_vector,
    scope,
    confidentiality_impact,
    exploitability_score,
    products,
    technologies,
    vendors,
    ProviderName,
    ProductName,
    servers,
    NetworkIPs,
    vulnerability_type,
    vulnerability_category
name: CYFIRMA - High Severity Asset based Vulnerabilities Rule Alert
eventGroupingSettings:
  aggregationKind: AlertPerResult
suppressionEnabled: false
tactics:
- Execution
- LateralMovement
- PrivilegeEscalation
- InitialAccess
- CredentialAccess
- DefenseEvasion
id: 123fad02-6d9e-439e-8241-7a2fffa7e0a5
alertDetailsOverride:
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
  alertDisplayNameFormat: 'CYFIRMA - High Severity Asset based Vulnerability Identified - {{name}} '
  alertDescriptionFormat: '{{description}} '
requiredDataConnectors:
- connectorId: CyfirmaVulnerabilitiesIntelDC
  dataTypes:
  - CyfirmaVulnerabilities_CL
kind: Scheduled
triggerThreshold: 0
version: 1.0.1
description: |
  "This rule detects high severity asset-based vulnerabilities from CYFIRMA's vulnerability intelligence data. 
  It identifies vulnerabilities with a confidence score of 80 or higher, excluding those categorized as 'ATTACK_SURFACE_VULNERABILITY', and generates alerts for assets that may be at risk."  
severity: High
relevantTechniques:
- T1059
- T1203
- T1210
- T1068
- T1190
- T1133
- T1003
- T1553
- T1548.002
- T1021.002
enabled: false
queryPeriod: 5m
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
suppressionDuration: 5m
customDetails:
  CVSSVersion: cvss_version
  CVSSScore: cvss_score
  CVSSVector: cvss_vector
  ConfidentialImpact: confidentiality_impact
  UserInteraction: user_interaction
  ImpactScore: impact_score
  ExploitabilityScore: exploitability_score
  AttackComplexity: attack_complexity
  CVE: name
  Modified: modified
  Technologies: technologies
  Products: products
  IntegrityImpact: integrity_impact
  Vendors: vendors
  scope: scope
  TimeGenerated: TimeGenerated
  AttackVector: attack_vector
  ConfidenceScore: confidence_score
  PrivilegesRequired: privileges_required
queryFrequency: 5m
triggerOperator: GreaterThan
query: |
  // High severity - Asset based Vulnerabilities
  let timeFrame = 5m;
  CyfirmaVulnerabilities_CL
  | extend parsed = parse_json(extensions)
  | extend extensionKeys = bag_keys(parsed)
  | mv-expand extensionKeys
  | extend extensionKeyStr = tostring(extensionKeys)
  | extend ext = parsed[extensionKeyStr]
  | extend props = ext.properties
  | extend 
      attack_complexity         = tostring(props.attack_complexity),
      cvss_score                = toreal(props.cvss_score),
      integrity_impact          = tostring(props.integrity_impact),
      impact_score              = tostring(props.impact_score),
      attack_vector             = tostring(props.attack_vector),
      privileges_required       = tostring(props.privileges_required),
      cvss_version              = tostring(props.cvss_version),
      user_interaction          = tostring(props.user_interaction),
      cvss_vector               = tostring(props.cvss_vector),
      scope                     = tostring(props.scope),
      confidentiality_impact    = tostring(props.confidentiality_impact),
      exploitability_score      = toreal(props.exploitability_score),
      products                  = tostring(props.products),
      technologies              = tostring(props.technologies),
      vendors                   = tostring(props.vendors),
      confidence_score          = toint(confidence),
      servers                   = tostring(props.servers),
      vulnerability_type        = tostring(props.vulnerability_type),
      vulnerability_category        = tostring(props.vulnerability_category),
      NetworkIPs                = tostring(props.ips),
      ProviderName              ='CYFIRMA',
      ProductName               ='DeCYFIR/DeTCT'
  | summarize arg_max(
                  integrity_impact,
                  TimeGenerated, 
                  id,
                  description,
                  confidence_score,
                  created,
                  modified,
                  attack_complexity,
                  cvss_score,
                  impact_score,
                  attack_vector,
                  privileges_required,
                  cvss_version,
                  user_interaction,
                  cvss_vector,
                  scope,
                  confidentiality_impact,
                  exploitability_score,
                  products,
                  technologies,
                  vendors,
                  ProviderName,
                  ProductName,
                  servers,
                  NetworkIPs,
                  vulnerability_type,
                  vulnerability_category
              )
      by name
  | where confidence_score >= 80 and vulnerability_category != 'ATTACK_SURFACE_VULNERABILITY' and TimeGenerated between (ago(timeFrame) .. now())
  | project 
      TimeGenerated,
      name,
      confidence_score,
      integrity_impact,
      attack_complexity,
      cvss_score,
      impact_score,
      attack_vector,
      UID = id,
      description,
      created,
      modified,
      privileges_required,
      cvss_version,
      user_interaction,
      cvss_vector,
      scope,
      confidentiality_impact,
      exploitability_score,
      products,
      technologies,
      vendors,
      ProviderName,
      ProductName,
      servers,
      NetworkIPs,
      vulnerability_type,
      vulnerability_category  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Vulnerabilities Intel/Analytic Rules/AssetVulnerabilitiesHighSeverityRule.yaml
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/123fad02-6d9e-439e-8241-7a2fffa7e0a5')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/123fad02-6d9e-439e-8241-7a2fffa7e0a5')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{description}} ",
          "alertDisplayNameFormat": "CYFIRMA - High Severity Asset based Vulnerability Identified - {{name}} ",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            },
            {
              "alertProperty": "ProviderName",
              "value": "ProviderName"
            }
          ]
        },
        "alertRuleTemplateName": "123fad02-6d9e-439e-8241-7a2fffa7e0a5",
        "customDetails": {
          "AttackComplexity": "attack_complexity",
          "AttackVector": "attack_vector",
          "ConfidenceScore": "confidence_score",
          "ConfidentialImpact": "confidentiality_impact",
          "CVE": "name",
          "CVSSScore": "cvss_score",
          "CVSSVector": "cvss_vector",
          "CVSSVersion": "cvss_version",
          "ExploitabilityScore": "exploitability_score",
          "ImpactScore": "impact_score",
          "IntegrityImpact": "integrity_impact",
          "Modified": "modified",
          "PrivilegesRequired": "privileges_required",
          "Products": "products",
          "scope": "scope",
          "Technologies": "technologies",
          "TimeGenerated": "TimeGenerated",
          "UserInteraction": "user_interaction",
          "Vendors": "vendors"
        },
        "description": "\"This rule detects high severity asset-based vulnerabilities from CYFIRMA's vulnerability intelligence data. \nIt identifies vulnerabilities with a confidence score of 80 or higher, excluding those categorized as 'ATTACK_SURFACE_VULNERABILITY', and generates alerts for assets that may be at risk.\"\n",
        "displayName": "CYFIRMA - High Severity Asset based Vulnerabilities Rule Alert",
        "enabled": false,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Vulnerabilities Intel/Analytic Rules/AssetVulnerabilitiesHighSeverityRule.yaml",
        "query": "// High severity - Asset based Vulnerabilities\nlet timeFrame = 5m;\nCyfirmaVulnerabilities_CL\n| extend parsed = parse_json(extensions)\n| extend extensionKeys = bag_keys(parsed)\n| mv-expand extensionKeys\n| extend extensionKeyStr = tostring(extensionKeys)\n| extend ext = parsed[extensionKeyStr]\n| extend props = ext.properties\n| extend \n    attack_complexity         = tostring(props.attack_complexity),\n    cvss_score                = toreal(props.cvss_score),\n    integrity_impact          = tostring(props.integrity_impact),\n    impact_score              = tostring(props.impact_score),\n    attack_vector             = tostring(props.attack_vector),\n    privileges_required       = tostring(props.privileges_required),\n    cvss_version              = tostring(props.cvss_version),\n    user_interaction          = tostring(props.user_interaction),\n    cvss_vector               = tostring(props.cvss_vector),\n    scope                     = tostring(props.scope),\n    confidentiality_impact    = tostring(props.confidentiality_impact),\n    exploitability_score      = toreal(props.exploitability_score),\n    products                  = tostring(props.products),\n    technologies              = tostring(props.technologies),\n    vendors                   = tostring(props.vendors),\n    confidence_score          = toint(confidence),\n    servers                   = tostring(props.servers),\n    vulnerability_type        = tostring(props.vulnerability_type),\n    vulnerability_category        = tostring(props.vulnerability_category),\n    NetworkIPs                = tostring(props.ips),\n    ProviderName              ='CYFIRMA',\n    ProductName               ='DeCYFIR/DeTCT'\n| summarize arg_max(\n                integrity_impact,\n                TimeGenerated, \n                id,\n                description,\n                confidence_score,\n                created,\n                modified,\n                attack_complexity,\n                cvss_score,\n                impact_score,\n                attack_vector,\n                privileges_required,\n                cvss_version,\n                user_interaction,\n                cvss_vector,\n                scope,\n                confidentiality_impact,\n                exploitability_score,\n                products,\n                technologies,\n                vendors,\n                ProviderName,\n                ProductName,\n                servers,\n                NetworkIPs,\n                vulnerability_type,\n                vulnerability_category\n            )\n    by name\n| where confidence_score >= 80 and vulnerability_category != 'ATTACK_SURFACE_VULNERABILITY' and TimeGenerated between (ago(timeFrame) .. now())\n| project \n    TimeGenerated,\n    name,\n    confidence_score,\n    integrity_impact,\n    attack_complexity,\n    cvss_score,\n    impact_score,\n    attack_vector,\n    UID = id,\n    description,\n    created,\n    modified,\n    privileges_required,\n    cvss_version,\n    user_interaction,\n    cvss_vector,\n    scope,\n    confidentiality_impact,\n    exploitability_score,\n    products,\n    technologies,\n    vendors,\n    ProviderName,\n    ProductName,\n    servers,\n    NetworkIPs,\n    vulnerability_type,\n    vulnerability_category\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "subTechniques": [
          "T1548.002",
          "T1021.002"
        ],
        "suppressionDuration": "PT5M",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "DefenseEvasion",
          "Execution",
          "InitialAccess",
          "LateralMovement",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1003",
          "T1021",
          "T1059",
          "T1068",
          "T1133",
          "T1190",
          "T1203",
          "T1210",
          "T1548",
          "T1553"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}