CYFIRMA - Attack Surface - Weak Certificate Exposure - High Rule
| Id | 3b5a1c0e-7f3a-4d47-8416-6c0b8b91e9ce |
| Rulename | CYFIRMA - Attack Surface - Weak Certificate Exposure - High Rule |
| Description | “This alert indicates that a weak or insecure SSL/TLS certificate has been detected on a public-facing asset monitored by Cyfirma. Such certificates do not meet modern encryption standards and are considered insecure, especially for handling sensitive transactions. This exposure increases the risk of man-in-the-middle attacks and loss of data integrity or confidentiality. Immediate remediation is advised by replacing weak certificates with strong, industry-compliant ones.” |
| Severity | High |
| Tactics | DefenseEvasion ResourceDevelopment Reconnaissance InitialAccess CredentialAccess |
| Techniques | T1553 T1588 T1595 T1190 T1552 |
| Required data connectors | CyfirmaAttackSurfaceAlertsConnector |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASCertificatesHighRule.yaml |
| Version | 1.0.1 |
| Arm template | 3b5a1c0e-7f3a-4d47-8416-6c0b8b91e9ce.json |
// High Severity Weak Certificate Exposure Detected
let timeFrame = 5m;
CyfirmaASCertificatesAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
ValidFrom=valid_from,
ValidTo=valid_to,
RiskScore=risk_score,
Domain=sub_domain,
TopDomain=top_domain,
Protocols=protocols,
SelfSigned=self_signed,
AlertUID=alert_uid,
UID=uid,
CertificateData= cert_data,
CertificateHash=cert_hash,
IssuedBy=issued_by,
IssuedTo=issued_to,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT'
| project
TimeGenerated,
Description,
Domain,
TopDomain,
RiskScore,
FirstSeen,
LastSeen,
ValidFrom,
ValidTo,
Protocols,
SelfSigned,
CertificateData,
CertificateHash,
IssuedBy,
IssuedTo,
ProviderName,
ProductName
customDetails:
ValidFrom: ValidFrom
RiskScore: RiskScore
ValidTo: ValidTo
IssuedBy: IssuedBy
FirstSeen: FirstSeen
CertificateHash: CertificateHash
LastSeen: LastSeen
SelfSigned: SelfSigned
IssuedTo: IssuedTo
Description: Description
Protocols: Protocols
Domain: Domain
CertificateData: CertificateData
TopDomain: TopDomain
TimeGenerated: TimeGenerated
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASCertificatesHighRule.yaml
id: 3b5a1c0e-7f3a-4d47-8416-6c0b8b91e9ce
requiredDataConnectors:
- dataTypes:
- CyfirmaASCertificatesAlerts_CL
connectorId: CyfirmaAttackSurfaceAlertsConnector
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
enabled: false
matchingMethod: AllEntities
lookbackDuration: PT5H
createIncident: true
relevantTechniques:
- T1553
- T1588
- T1595
- T1190
- T1552
kind: Scheduled
name: CYFIRMA - Attack Surface - Weak Certificate Exposure - High Rule
query: |
// High Severity Weak Certificate Exposure Detected
let timeFrame = 5m;
CyfirmaASCertificatesAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
ValidFrom=valid_from,
ValidTo=valid_to,
RiskScore=risk_score,
Domain=sub_domain,
TopDomain=top_domain,
Protocols=protocols,
SelfSigned=self_signed,
AlertUID=alert_uid,
UID=uid,
CertificateData= cert_data,
CertificateHash=cert_hash,
IssuedBy=issued_by,
IssuedTo=issued_to,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT'
| project
TimeGenerated,
Description,
Domain,
TopDomain,
RiskScore,
FirstSeen,
LastSeen,
ValidFrom,
ValidTo,
Protocols,
SelfSigned,
CertificateData,
CertificateHash,
IssuedBy,
IssuedTo,
ProviderName,
ProductName
tactics:
- DefenseEvasion
- ResourceDevelopment
- Reconnaissance
- InitialAccess
- CredentialAccess
severity: High
entityMappings:
- fieldMappings:
- identifier: DomainName
columnName: Domain
entityType: DNS
- fieldMappings:
- identifier: HostName
columnName: TopDomain
- identifier: DnsDomain
columnName: Domain
entityType: Host
queryFrequency: 5m
description: |
"This alert indicates that a weak or insecure SSL/TLS certificate has been detected on a public-facing asset monitored by Cyfirma.
Such certificates do not meet modern encryption standards and are considered insecure, especially for handling sensitive transactions.
This exposure increases the risk of man-in-the-middle attacks and loss of data integrity or confidentiality.
Immediate remediation is advised by replacing weak certificates with strong, industry-compliant ones."
alertDetailsOverride:
alertDisplayNameFormat: CYFIRMA - High Severity Weak Certificate Exposure Detected for this Domain - {{Domain}}
alertDescriptionFormat: CYFIRMA - High Severity Weak Certificate Exposure Detected - {{Description}}
alertDynamicProperties:
- value: ProductName
alertProperty: ProductName
- value: ProviderName
alertProperty: ProviderName
triggerThreshold: 0
triggerOperator: gt
version: 1.0.1
eventGroupingSettings:
aggregationKind: AlertPerResult
queryPeriod: 5m
status: Available