CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories Rule

// Medium severity - Social and Public Exposure - Source Code Exposure on Public Repositories
let timeFrame = 5m;
CyfirmaSPESourceCodeAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=signature,
    Source=source,
    Impact=impact,
    Recommendation=recommendation,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT',
    AlertTitle=Alert_title
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Impact,
    ProductName,
    ProviderName,
    AlertTitle

name: CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories Rule
id: 28e315a3-725d-4261-a6c2-e597d51541f4
query: |
  // Medium severity - Social and Public Exposure - Source Code Exposure on Public Repositories
  let timeFrame = 5m;
  CyfirmaSPESourceCodeAlerts_CL
  | where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=signature,
      Source=source,
      Impact=impact,
      Recommendation=recommendation,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT',
      AlertTitle=Alert_title
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Impact,
      ProductName,
      ProviderName,
      AlertTitle  
relevantTechniques:
- T1587.001
- T1606.001
- T1082
description: |
  "This rule triggers when CYFIRMA detects source code related to internal or enterprise domains exposed on public platforms like GitHub. 
  Such exposure may lead to intellectual property leakage or help adversaries understand internal systems, increasing the risk of targeted attacks."  
queryPeriod: 5m
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: AllEntities
    enabled: false
    reopenClosedIncident: false
    lookbackDuration: PT5H
  createIncident: true
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPESourceCodeExposureMediumRule.yaml
kind: Scheduled
triggerOperator: gt
severity: Medium
alertDetailsOverride:
  alertDisplayNameFormat: 'CYFIRMA Medium Severity Alert - Source Code Exposure on Public Repositories - {{AlertTitle}} '
  alertDescriptionFormat: '{{Description}} '
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
version: 1.0.1
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 5m
tactics:
- ResourceDevelopment
- CredentialAccess
- Discovery
customDetails:
  UID: UID
  FirstSeen: FirstSeen
  TimeGenerated: TimeGenerated
  AlertUID: AlertUID
  RiskScore: RiskScore
  Impact: Impact
  Description: Description
  AssetType: AssetType
  LastSeen: LastSeen
  AssetValue: AssetValue
triggerThreshold: 0
requiredDataConnectors:
- connectorId: CyfirmaDigitalRiskAlertsConnector
  dataTypes:
  - CyfirmaSPESourceCodeAlerts_CL