CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories Rule

// Medium severity - Social and Public Exposure - Source Code Exposure on Public Repositories
let timeFrame = 5m;
CyfirmaSPESourceCodeAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=signature,
    Source=source,
    Impact=impact,
    Recommendation=recommendation,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT',
    AlertTitle=Alert_title
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Impact,
    ProductName,
    ProviderName,
    AlertTitle

relevantTechniques:
- T1587.001
- T1606.001
- T1082
customDetails:
  LastSeen: LastSeen
  FirstSeen: FirstSeen
  Description: Description
  AssetValue: AssetValue
  RiskScore: RiskScore
  TimeGenerated: TimeGenerated
  AssetType: AssetType
  UID: UID
  AlertUID: AlertUID
  Impact: Impact
kind: Scheduled
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerThreshold: 0
tactics:
- ResourceDevelopment
- CredentialAccess
- Discovery
version: 1.0.1
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPESourceCodeExposureMediumRule.yaml
id: 28e315a3-725d-4261-a6c2-e597d51541f4
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    lookbackDuration: PT5H
    matchingMethod: AllEntities
    reopenClosedIncident: false
queryFrequency: 5m
query: |
  // Medium severity - Social and Public Exposure - Source Code Exposure on Public Repositories
  let timeFrame = 5m;
  CyfirmaSPESourceCodeAlerts_CL
  | where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=signature,
      Source=source,
      Impact=impact,
      Recommendation=recommendation,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT',
      AlertTitle=Alert_title
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Impact,
      ProductName,
      ProviderName,
      AlertTitle  
requiredDataConnectors:
- connectorId: CyfirmaDigitalRiskAlertsConnector
  dataTypes:
  - CyfirmaSPESourceCodeAlerts_CL
alertDetailsOverride:
  alertDisplayNameFormat: 'CYFIRMA Medium Severity Alert - Source Code Exposure on Public Repositories - {{AlertTitle}} '
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
  alertDescriptionFormat: '{{Description}} '
description: |
  "This rule triggers when CYFIRMA detects source code related to internal or enterprise domains exposed on public platforms like GitHub. 
  Such exposure may lead to intellectual property leakage or help adversaries understand internal systems, increasing the risk of targeted attacks."  
status: Available
name: CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories Rule
severity: Medium
queryPeriod: 5m