CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories Rule

// Medium severity - Social and Public Exposure - Source Code Exposure on Public Repositories
let timeFrame = 5m;
CyfirmaSPESourceCodeAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=signature,
    Source=source,
    Impact=impact,
    Recommendation=recommendation,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT',
    AlertTitle=Alert_title
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Impact,
    ProductName,
    ProviderName,
    AlertTitle

query: |
  // Medium severity - Social and Public Exposure - Source Code Exposure on Public Repositories
  let timeFrame = 5m;
  CyfirmaSPESourceCodeAlerts_CL
  | where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=signature,
      Source=source,
      Impact=impact,
      Recommendation=recommendation,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT',
      AlertTitle=Alert_title
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Impact,
      ProductName,
      ProviderName,
      AlertTitle  
status: Available
eventGroupingSettings:
  aggregationKind: AlertPerResult
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPESourceCodeExposureMediumRule.yaml
requiredDataConnectors:
- dataTypes:
  - CyfirmaSPESourceCodeAlerts_CL
  connectorId: CyfirmaDigitalRiskAlertsConnector
alertDetailsOverride:
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
  alertDisplayNameFormat: 'CYFIRMA Medium Severity Alert - Source Code Exposure on Public Repositories - {{AlertTitle}} '
  alertDescriptionFormat: '{{Description}} '
id: 28e315a3-725d-4261-a6c2-e597d51541f4
tactics:
- ResourceDevelopment
- CredentialAccess
- Discovery
queryPeriod: 5m
queryFrequency: 5m
customDetails:
  AlertUID: AlertUID
  FirstSeen: FirstSeen
  UID: UID
  AssetType: AssetType
  Impact: Impact
  AssetValue: AssetValue
  Description: Description
  RiskScore: RiskScore
  LastSeen: LastSeen
  TimeGenerated: TimeGenerated
triggerOperator: gt
triggerThreshold: 0
severity: Medium
relevantTechniques:
- T1587.001
- T1606.001
- T1082
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
kind: Scheduled
name: CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories Rule
description: |
  "This rule triggers when CYFIRMA detects source code related to internal or enterprise domains exposed on public platforms like GitHub. 
  Such exposure may lead to intellectual property leakage or help adversaries understand internal systems, increasing the risk of targeted attacks."