CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories Rule
| Id | 28e315a3-725d-4261-a6c2-e597d51541f4 |
| Rulename | CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories Rule |
| Description | “This rule triggers when CYFIRMA detects source code related to internal or enterprise domains exposed on public platforms like GitHub. Such exposure may lead to intellectual property leakage or help adversaries understand internal systems, increasing the risk of targeted attacks.” |
| Severity | Medium |
| Tactics | ResourceDevelopment CredentialAccess Discovery |
| Techniques | T1587.001 T1606.001 T1082 |
| Required data connectors | CyfirmaDigitalRiskAlertsConnector |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPESourceCodeExposureMediumRule.yaml |
| Version | 1.0.1 |
| Arm template | 28e315a3-725d-4261-a6c2-e597d51541f4.json |
// Medium severity - Social and Public Exposure - Source Code Exposure on Public Repositories
let timeFrame = 5m;
CyfirmaSPESourceCodeAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
AssetType=asset_type,
AssetValue=signature,
Source=source,
Impact=impact,
Recommendation=recommendation,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT',
AlertTitle=Alert_title
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
AssetType,
AssetValue,
Impact,
ProductName,
ProviderName,
AlertTitle
kind: Scheduled
customDetails:
AssetType: AssetType
UID: UID
AssetValue: AssetValue
Description: Description
RiskScore: RiskScore
TimeGenerated: TimeGenerated
AlertUID: AlertUID
Impact: Impact
FirstSeen: FirstSeen
LastSeen: LastSeen
alertDetailsOverride:
alertDisplayNameFormat: 'CYFIRMA Medium Severity Alert - Source Code Exposure on Public Repositories - {{AlertTitle}} '
alertDescriptionFormat: '{{Description}} '
alertDynamicProperties:
- value: ProductName
alertProperty: ProductName
- value: ProviderName
alertProperty: ProviderName
description: |
"This rule triggers when CYFIRMA detects source code related to internal or enterprise domains exposed on public platforms like GitHub.
Such exposure may lead to intellectual property leakage or help adversaries understand internal systems, increasing the risk of targeted attacks."
severity: Medium
queryFrequency: 5m
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
matchingMethod: AllEntities
lookbackDuration: PT5H
enabled: false
createIncident: true
triggerThreshold: 0
relevantTechniques:
- T1587.001
- T1606.001
- T1082
eventGroupingSettings:
aggregationKind: AlertPerResult
status: Available
version: 1.0.1
name: CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories Rule
id: 28e315a3-725d-4261-a6c2-e597d51541f4
query: |
// Medium severity - Social and Public Exposure - Source Code Exposure on Public Repositories
let timeFrame = 5m;
CyfirmaSPESourceCodeAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
AssetType=asset_type,
AssetValue=signature,
Source=source,
Impact=impact,
Recommendation=recommendation,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT',
AlertTitle=Alert_title
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
AssetType,
AssetValue,
Impact,
ProductName,
ProviderName,
AlertTitle
requiredDataConnectors:
- dataTypes:
- CyfirmaSPESourceCodeAlerts_CL
connectorId: CyfirmaDigitalRiskAlertsConnector
tactics:
- ResourceDevelopment
- CredentialAccess
- Discovery
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPESourceCodeExposureMediumRule.yaml
queryPeriod: 5m
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/28e315a3-725d-4261-a6c2-e597d51541f4')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/28e315a3-725d-4261-a6c2-e597d51541f4')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{Description}} ",
"alertDisplayNameFormat": "CYFIRMA Medium Severity Alert - Source Code Exposure on Public Repositories - {{AlertTitle}} ",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "28e315a3-725d-4261-a6c2-e597d51541f4",
"customDetails": {
"AlertUID": "AlertUID",
"AssetType": "AssetType",
"AssetValue": "AssetValue",
"Description": "Description",
"FirstSeen": "FirstSeen",
"Impact": "Impact",
"LastSeen": "LastSeen",
"RiskScore": "RiskScore",
"TimeGenerated": "TimeGenerated",
"UID": "UID"
},
"description": "\"This rule triggers when CYFIRMA detects source code related to internal or enterprise domains exposed on public platforms like GitHub. \nSuch exposure may lead to intellectual property leakage or help adversaries understand internal systems, increasing the risk of targeted attacks.\"\n",
"displayName": "CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories Rule",
"enabled": true,
"entityMappings": null,
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPESourceCodeExposureMediumRule.yaml",
"query": "// Medium severity - Social and Public Exposure - Source Code Exposure on Public Repositories\nlet timeFrame = 5m;\nCyfirmaSPESourceCodeAlerts_CL\n| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())\n| extend\n Description=description,\n FirstSeen=first_seen,\n LastSeen=last_seen,\n RiskScore=risk_score,\n AlertUID=alert_uid,\n UID=uid,\n AssetType=asset_type,\n AssetValue=signature,\n Source=source,\n Impact=impact,\n Recommendation=recommendation,\n ProviderName='CYFIRMA',\n ProductName='DeCYFIR/DeTCT',\n AlertTitle=Alert_title\n| project\n TimeGenerated,\n Description,\n RiskScore,\n FirstSeen,\n LastSeen,\n AlertUID,\n UID,\n AssetType,\n AssetValue,\n Impact,\n ProductName,\n ProviderName,\n AlertTitle\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"status": "Available",
"subTechniques": [
"T1587.001",
"T1606.001"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CredentialAccess",
"Discovery",
"ResourceDevelopment"
],
"techniques": [
"T1082",
"T1587",
"T1606"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}