CYFIRMA - Attack Surface - Weak Certificate Exposure - High Rule
| Id | 3b5a1c0e-7f3a-4d47-8416-6c0b8b91e9ce |
| Rulename | CYFIRMA - Attack Surface - Weak Certificate Exposure - High Rule |
| Description | “This alert indicates that a weak or insecure SSL/TLS certificate has been detected on a public-facing asset monitored by Cyfirma. Such certificates do not meet modern encryption standards and are considered insecure, especially for handling sensitive transactions. This exposure increases the risk of man-in-the-middle attacks and loss of data integrity or confidentiality. Immediate remediation is advised by replacing weak certificates with strong, industry-compliant ones.” |
| Severity | High |
| Tactics | DefenseEvasion ResourceDevelopment Reconnaissance InitialAccess CredentialAccess |
| Techniques | T1553 T1588 T1595 T1190 T1552 |
| Required data connectors | CyfirmaAttackSurfaceAlertsConnector |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASCertificatesHighRule.yaml |
| Version | 1.0.1 |
| Arm template | 3b5a1c0e-7f3a-4d47-8416-6c0b8b91e9ce.json |
// High Severity Weak Certificate Exposure Detected
let timeFrame = 5m;
CyfirmaASCertificatesAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
ValidFrom=valid_from,
ValidTo=valid_to,
RiskScore=risk_score,
Domain=sub_domain,
TopDomain=top_domain,
Protocols=protocols,
SelfSigned=self_signed,
AlertUID=alert_uid,
UID=uid,
CertificateData= cert_data,
CertificateHash=cert_hash,
IssuedBy=issued_by,
IssuedTo=issued_to,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT'
| project
TimeGenerated,
Description,
Domain,
TopDomain,
RiskScore,
FirstSeen,
LastSeen,
ValidFrom,
ValidTo,
Protocols,
SelfSigned,
CertificateData,
CertificateHash,
IssuedBy,
IssuedTo,
ProviderName,
ProductName
queryPeriod: 5m
query: |
// High Severity Weak Certificate Exposure Detected
let timeFrame = 5m;
CyfirmaASCertificatesAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
ValidFrom=valid_from,
ValidTo=valid_to,
RiskScore=risk_score,
Domain=sub_domain,
TopDomain=top_domain,
Protocols=protocols,
SelfSigned=self_signed,
AlertUID=alert_uid,
UID=uid,
CertificateData= cert_data,
CertificateHash=cert_hash,
IssuedBy=issued_by,
IssuedTo=issued_to,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT'
| project
TimeGenerated,
Description,
Domain,
TopDomain,
RiskScore,
FirstSeen,
LastSeen,
ValidFrom,
ValidTo,
Protocols,
SelfSigned,
CertificateData,
CertificateHash,
IssuedBy,
IssuedTo,
ProviderName,
ProductName
incidentConfiguration:
groupingConfiguration:
lookbackDuration: PT5H
reopenClosedIncident: false
matchingMethod: AllEntities
enabled: false
createIncident: true
name: CYFIRMA - Attack Surface - Weak Certificate Exposure - High Rule
entityMappings:
- fieldMappings:
- columnName: Domain
identifier: DomainName
entityType: DNS
- fieldMappings:
- columnName: TopDomain
identifier: HostName
- columnName: Domain
identifier: DnsDomain
entityType: Host
queryFrequency: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASCertificatesHighRule.yaml
alertDetailsOverride:
alertDisplayNameFormat: CYFIRMA - High Severity Weak Certificate Exposure Detected for this Domain - {{Domain}}
alertDescriptionFormat: CYFIRMA - High Severity Weak Certificate Exposure Detected - {{Description}}
alertDynamicProperties:
- value: ProductName
alertProperty: ProductName
- value: ProviderName
alertProperty: ProviderName
description: |
"This alert indicates that a weak or insecure SSL/TLS certificate has been detected on a public-facing asset monitored by Cyfirma.
Such certificates do not meet modern encryption standards and are considered insecure, especially for handling sensitive transactions.
This exposure increases the risk of man-in-the-middle attacks and loss of data integrity or confidentiality.
Immediate remediation is advised by replacing weak certificates with strong, industry-compliant ones."
kind: Scheduled
version: 1.0.1
eventGroupingSettings:
aggregationKind: AlertPerResult
status: Available
severity: High
requiredDataConnectors:
- connectorId: CyfirmaAttackSurfaceAlertsConnector
dataTypes:
- CyfirmaASCertificatesAlerts_CL
triggerOperator: gt
triggerThreshold: 0
customDetails:
IssuedTo: IssuedTo
TimeGenerated: TimeGenerated
ValidFrom: ValidFrom
IssuedBy: IssuedBy
ValidTo: ValidTo
LastSeen: LastSeen
Domain: Domain
Description: Description
CertificateData: CertificateData
FirstSeen: FirstSeen
CertificateHash: CertificateHash
TopDomain: TopDomain
SelfSigned: SelfSigned
Protocols: Protocols
RiskScore: RiskScore
tactics:
- DefenseEvasion
- ResourceDevelopment
- Reconnaissance
- InitialAccess
- CredentialAccess
id: 3b5a1c0e-7f3a-4d47-8416-6c0b8b91e9ce
relevantTechniques:
- T1553
- T1588
- T1595
- T1190
- T1552