Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CYFIRMA - Attack Surface - Configuration High Rule

Back
Id30206b45-75d2-4c6a-87c5-f0861c1f2870
RulenameCYFIRMA - Attack Surface - Configuration High Rule
DescriptionThis alert is generated when CYFIRMA detects a critical misconfiguration in a public-facing asset or service.

Such misconfigurations may include exposed admin interfaces, default credentials, open directory listings, or insecure protocols, which significantly increase the attack surface."
SeverityHigh
TacticsInitialAccess
Discovery
persistence
Execution
DefenseEvasion
CredentialAccess
Collection
Reconnaissance
TechniquesT1190
T1087
T1046
T1136
T1059
T1566
T1070
T1027
T1505
T1555
T1114
T1595
Required data connectorsCyfirmaAttackSurfaceAlertsConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASConfigurationsHighRule.yaml
Version1.0.0
Arm template30206b45-75d2-4c6a-87c5-f0861c1f2870.json
Deploy To Azure
// High Severity - Attack Surface - Misconfiguration Detected
let timeFrame = 5m;
CyfirmaASConfigurationAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    Domain=sub_domain,
    TopDomain=top_domain,
    NetworkIP=ip,
    AlertUID=alert_uid,
    UID=uid,
    Softwares=software,
    WebAppFirewall=web_app_firewall,
    ClickJackingDefence=click_jacking_defence,
    ContentSecurityPolicy=content_security_policy,
    CookieXssProtection=cookie_xss_protection,
    DataInjectionDefence=data_injection_defence,
    DomainStatus=domain_status,
    MissingEPPCodes=missing_epp_codes,
    SecureCookie=secure_cookie,
    SetCookieHttpsOnly=set_cookie_https_only,
    XFrameOptions=x_frame_options,
    X_XssProtection=x_xss_protection,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT'
| project
    TimeGenerated,
    Description,
    Domain,
    TopDomain,
    RiskScore,
    FirstSeen,
    LastSeen,
    NetworkIP,
    AlertUID,
    UID,
    Softwares,
    WebAppFirewall,
    ClickJackingDefence,
    ContentSecurityPolicy,
    CookieXssProtection,
    DataInjectionDefence,
    DomainStatus,
    MissingEPPCodes,
    SecureCookie,
    SetCookieHttpsOnly,
    XFrameOptions,
    X_XssProtection,
    ProviderName,
    ProductName
status: Available
relevantTechniques:
- T1190
- T1087
- T1046
- T1136
- T1059
- T1566
- T1070
- T1027
- T1505
- T1555
- T1114
- T1595
description: |
  This alert is generated when CYFIRMA detects a critical misconfiguration in a public-facing asset or service. 
  Such misconfigurations may include exposed admin interfaces, default credentials, open directory listings, or insecure protocols, which significantly increase the attack surface."  
queryPeriod: 5m
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASConfigurationsHighRule.yaml
alertDetailsOverride:
  alertDisplayNameFormat: 'CYFIRMA - High Risk Misconfiguration Identified in Assets - Domain: {{Domain}} , IP: {{NetworkIP}} '
  alertDescriptionFormat: 'CYFIRMA - High Risk Misconfiguration Identified in Assets - {{Description}} '
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
query: |
  // High Severity - Attack Surface - Misconfiguration Detected
  let timeFrame = 5m;
  CyfirmaASConfigurationAlerts_CL
  | where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      Domain=sub_domain,
      TopDomain=top_domain,
      NetworkIP=ip,
      AlertUID=alert_uid,
      UID=uid,
      Softwares=software,
      WebAppFirewall=web_app_firewall,
      ClickJackingDefence=click_jacking_defence,
      ContentSecurityPolicy=content_security_policy,
      CookieXssProtection=cookie_xss_protection,
      DataInjectionDefence=data_injection_defence,
      DomainStatus=domain_status,
      MissingEPPCodes=missing_epp_codes,
      SecureCookie=secure_cookie,
      SetCookieHttpsOnly=set_cookie_https_only,
      XFrameOptions=x_frame_options,
      X_XssProtection=x_xss_protection,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT'
  | project
      TimeGenerated,
      Description,
      Domain,
      TopDomain,
      RiskScore,
      FirstSeen,
      LastSeen,
      NetworkIP,
      AlertUID,
      UID,
      Softwares,
      WebAppFirewall,
      ClickJackingDefence,
      ContentSecurityPolicy,
      CookieXssProtection,
      DataInjectionDefence,
      DomainStatus,
      MissingEPPCodes,
      SecureCookie,
      SetCookieHttpsOnly,
      XFrameOptions,
      X_XssProtection,
      ProviderName,
      ProductName  
version: 1.0.0
id: 30206b45-75d2-4c6a-87c5-f0861c1f2870
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    lookbackDuration: 5h
    matchingMethod: AllEntities
    reopenClosedIncident: false
tactics:
- InitialAccess
- Discovery
- persistence
- Execution
- DefenseEvasion
- CredentialAccess
- Collection
- Reconnaissance
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings:
- fieldMappings:
  - identifier: DomainName
    columnName: Domain
  entityType: DNS
- fieldMappings:
  - identifier: HostName
    columnName: TopDomain
  - identifier: DnsDomain
    columnName: Domain
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: NetworkIP
  entityType: IP
requiredDataConnectors:
- dataTypes:
  - CyfirmaASConfigurationAlerts_CL
  connectorId: CyfirmaAttackSurfaceAlertsConnector
name: CYFIRMA - Attack Surface - Configuration High Rule
severity: High
customDetails:
  LastSeen: LastSeen
  CookieXssProtection: CookieXssProtection
  SetCookieHttpsOnly: SetCookieHttpsOnly
  UID: UID
  AlertUID: AlertUID
  TimeGenerated: TimeGenerated
  SecureCookie: SecureCookie
  XFrameOptions: XFrameOptions
  RiskScore: RiskScore
  FirstSeen: FirstSeen
  SecurityPolicy: ContentSecurityPolicy
  ClickJackingDefence: ClickJackingDefence
  MissingEPPCodes: MissingEPPCodes
  InjectionDefence: DataInjectionDefence
  WebAppFirewall: WebAppFirewall
  Softwares: Softwares
  DomainStatus: DomainStatus
  X_XssProtection: X_XssProtection
triggerOperator: gt
triggerThreshold: 0
queryFrequency: 5m
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/30206b45-75d2-4c6a-87c5-f0861c1f2870')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/30206b45-75d2-4c6a-87c5-f0861c1f2870')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "CYFIRMA - High Risk Misconfiguration Identified in Assets - {{Description}} ",
          "alertDisplayNameFormat": "CYFIRMA - High Risk Misconfiguration Identified in Assets - Domain: {{Domain}} , IP: {{NetworkIP}} ",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            },
            {
              "alertProperty": "ProviderName",
              "value": "ProviderName"
            }
          ]
        },
        "alertRuleTemplateName": "30206b45-75d2-4c6a-87c5-f0861c1f2870",
        "customDetails": {
          "AlertUID": "AlertUID",
          "ClickJackingDefence": "ClickJackingDefence",
          "CookieXssProtection": "CookieXssProtection",
          "DomainStatus": "DomainStatus",
          "FirstSeen": "FirstSeen",
          "InjectionDefence": "DataInjectionDefence",
          "LastSeen": "LastSeen",
          "MissingEPPCodes": "MissingEPPCodes",
          "RiskScore": "RiskScore",
          "SecureCookie": "SecureCookie",
          "SecurityPolicy": "ContentSecurityPolicy",
          "SetCookieHttpsOnly": "SetCookieHttpsOnly",
          "Softwares": "Softwares",
          "TimeGenerated": "TimeGenerated",
          "UID": "UID",
          "WebAppFirewall": "WebAppFirewall",
          "X_XssProtection": "X_XssProtection",
          "XFrameOptions": "XFrameOptions"
        },
        "description": "This alert is generated when CYFIRMA detects a critical misconfiguration in a public-facing asset or service. \nSuch misconfigurations may include exposed admin interfaces, default credentials, open directory listings, or insecure protocols, which significantly increase the attack surface.\"\n",
        "displayName": "CYFIRMA - Attack Surface - Configuration High Rule",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "DNS",
            "fieldMappings": [
              {
                "columnName": "Domain",
                "identifier": "DomainName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "TopDomain",
                "identifier": "HostName"
              },
              {
                "columnName": "Domain",
                "identifier": "DnsDomain"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "NetworkIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASConfigurationsHighRule.yaml",
        "query": "// High Severity - Attack Surface - Misconfiguration Detected\nlet timeFrame = 5m;\nCyfirmaASConfigurationAlerts_CL\n| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())\n| extend\n    Description=description,\n    FirstSeen=first_seen,\n    LastSeen=last_seen,\n    RiskScore=risk_score,\n    Domain=sub_domain,\n    TopDomain=top_domain,\n    NetworkIP=ip,\n    AlertUID=alert_uid,\n    UID=uid,\n    Softwares=software,\n    WebAppFirewall=web_app_firewall,\n    ClickJackingDefence=click_jacking_defence,\n    ContentSecurityPolicy=content_security_policy,\n    CookieXssProtection=cookie_xss_protection,\n    DataInjectionDefence=data_injection_defence,\n    DomainStatus=domain_status,\n    MissingEPPCodes=missing_epp_codes,\n    SecureCookie=secure_cookie,\n    SetCookieHttpsOnly=set_cookie_https_only,\n    XFrameOptions=x_frame_options,\n    X_XssProtection=x_xss_protection,\n    ProviderName='CYFIRMA',\n    ProductName='DeCYFIR/DeTCT'\n| project\n    TimeGenerated,\n    Description,\n    Domain,\n    TopDomain,\n    RiskScore,\n    FirstSeen,\n    LastSeen,\n    NetworkIP,\n    AlertUID,\n    UID,\n    Softwares,\n    WebAppFirewall,\n    ClickJackingDefence,\n    ContentSecurityPolicy,\n    CookieXssProtection,\n    DataInjectionDefence,\n    DomainStatus,\n    MissingEPPCodes,\n    SecureCookie,\n    SetCookieHttpsOnly,\n    XFrameOptions,\n    X_XssProtection,\n    ProviderName,\n    ProductName\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "CredentialAccess",
          "DefenseEvasion",
          "Discovery",
          "Execution",
          "InitialAccess",
          "persistence",
          "Reconnaissance"
        ],
        "techniques": [
          "T1027",
          "T1046",
          "T1059",
          "T1070",
          "T1087",
          "T1114",
          "T1136",
          "T1190",
          "T1505",
          "T1555",
          "T1566",
          "T1595"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}