CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories Rule
| Id | 28e315a3-725d-4261-a6c2-e597d51541f4 |
| Rulename | CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories Rule |
| Description | “This rule triggers when CYFIRMA detects source code related to internal or enterprise domains exposed on public platforms like GitHub. Such exposure may lead to intellectual property leakage or help adversaries understand internal systems, increasing the risk of targeted attacks.” |
| Severity | Medium |
| Tactics | ResourceDevelopment CredentialAccess Discovery |
| Techniques | T1587.001 T1606.001 T1082 |
| Required data connectors | CyfirmaDigitalRiskAlertsConnector |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPESourceCodeExposureMediumRule.yaml |
| Version | 1.0.0 |
| Arm template | 28e315a3-725d-4261-a6c2-e597d51541f4.json |
// Medium severity - Social and Public Exposure - Source Code Exposure on Public Repositories
let timeFrame = 5m;
CyfirmaSPESourceCodeAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
AssetType=asset_type,
AssetValue=signature,
Source=source,
Impact=impact,
Recommendation=recommendation,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT',
AlertTitle=Alert_title
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
AssetType,
AssetValue,
Impact,
ProductName,
ProviderName,
AlertTitle
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPESourceCodeExposureMediumRule.yaml
triggerThreshold: 0
severity: Medium
incidentConfiguration:
createIncident: true
groupingConfiguration:
lookbackDuration: 5h
enabled: false
matchingMethod: AllEntities
reopenClosedIncident: false
queryFrequency: 5m
status: Available
customDetails:
TimeGenerated: TimeGenerated
LastSeen: LastSeen
FirstSeen: FirstSeen
Description: Description
AlertUID: AlertUID
AssetType: AssetType
Impact: Impact
AssetValue: AssetValue
UID: UID
RiskScore: RiskScore
relevantTechniques:
- T1587.001
- T1606.001
- T1082
alertDetailsOverride:
alertDisplayNameFormat: 'CYFIRMA Medium Severity Alert - Source Code Exposure on Public Repositories - {{AlertTitle}} '
alertDescriptionFormat: '{{Description}} '
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: ProviderName
value: ProviderName
triggerOperator: gt
id: 28e315a3-725d-4261-a6c2-e597d51541f4
requiredDataConnectors:
- connectorId: CyfirmaDigitalRiskAlertsConnector
dataTypes:
- CyfirmaSPESourceCodeAlerts_CL
version: 1.0.0
name: CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories Rule
eventGroupingSettings:
aggregationKind: AlertPerResult
description: |
"This rule triggers when CYFIRMA detects source code related to internal or enterprise domains exposed on public platforms like GitHub.
Such exposure may lead to intellectual property leakage or help adversaries understand internal systems, increasing the risk of targeted attacks."
query: |
// Medium severity - Social and Public Exposure - Source Code Exposure on Public Repositories
let timeFrame = 5m;
CyfirmaSPESourceCodeAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
AssetType=asset_type,
AssetValue=signature,
Source=source,
Impact=impact,
Recommendation=recommendation,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT',
AlertTitle=Alert_title
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
AssetType,
AssetValue,
Impact,
ProductName,
ProviderName,
AlertTitle
tactics:
- ResourceDevelopment
- CredentialAccess
- Discovery
queryPeriod: 5m
kind: Scheduled
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/28e315a3-725d-4261-a6c2-e597d51541f4')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/28e315a3-725d-4261-a6c2-e597d51541f4')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{Description}} ",
"alertDisplayNameFormat": "CYFIRMA Medium Severity Alert - Source Code Exposure on Public Repositories - {{AlertTitle}} ",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "28e315a3-725d-4261-a6c2-e597d51541f4",
"customDetails": {
"AlertUID": "AlertUID",
"AssetType": "AssetType",
"AssetValue": "AssetValue",
"Description": "Description",
"FirstSeen": "FirstSeen",
"Impact": "Impact",
"LastSeen": "LastSeen",
"RiskScore": "RiskScore",
"TimeGenerated": "TimeGenerated",
"UID": "UID"
},
"description": "\"This rule triggers when CYFIRMA detects source code related to internal or enterprise domains exposed on public platforms like GitHub. \nSuch exposure may lead to intellectual property leakage or help adversaries understand internal systems, increasing the risk of targeted attacks.\"\n",
"displayName": "CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories Rule",
"enabled": true,
"entityMappings": null,
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPESourceCodeExposureMediumRule.yaml",
"query": "// Medium severity - Social and Public Exposure - Source Code Exposure on Public Repositories\nlet timeFrame = 5m;\nCyfirmaSPESourceCodeAlerts_CL\n| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())\n| extend\n Description=description,\n FirstSeen=first_seen,\n LastSeen=last_seen,\n RiskScore=risk_score,\n AlertUID=alert_uid,\n UID=uid,\n AssetType=asset_type,\n AssetValue=signature,\n Source=source,\n Impact=impact,\n Recommendation=recommendation,\n ProviderName='CYFIRMA',\n ProductName='DeCYFIR/DeTCT',\n AlertTitle=Alert_title\n| project\n TimeGenerated,\n Description,\n RiskScore,\n FirstSeen,\n LastSeen,\n AlertUID,\n UID,\n AssetType,\n AssetValue,\n Impact,\n ProductName,\n ProviderName,\n AlertTitle\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"status": "Available",
"subTechniques": [
"T1587.001",
"T1606.001"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CredentialAccess",
"Discovery",
"ResourceDevelopment"
],
"techniques": [
"T1082",
"T1587",
"T1606"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}