CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories Rule
| Id | 42e6f16a-7773-44cc-8668-8f648bd1aa4f |
| Rulename | CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories Rule |
| Description | “This rule triggers when CYFIRMA detects source code related to internal or enterprise domains exposed on public platforms like GitHub. Such exposure may lead to intellectual property leakage or help adversaries understand internal systems, increasing the risk of targeted attacks.” |
| Severity | High |
| Tactics | ResourceDevelopment CredentialAccess Discovery |
| Techniques | T1587.001 T1606.001 T1082 |
| Required data connectors | CyfirmaDigitalRiskAlertsConnector |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPESourceCodeExposureHighRule.yaml |
| Version | 1.0.0 |
| Arm template | 42e6f16a-7773-44cc-8668-8f648bd1aa4f.json |
// High severity - Social and Public Exposure - Source Code Exposure on Public Repositories
let timeFrame = 5m;
CyfirmaSPESourceCodeAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
AssetType=asset_type,
AssetValue=signature,
Source=source,
Impact=impact,
Recommendation=recommendation,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT',
AlertTitle=Alert_title
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
AssetType,
AssetValue,
Impact,
ProductName,
ProviderName,
AlertTitle
tactics:
- ResourceDevelopment
- CredentialAccess
- Discovery
name: CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories Rule
id: 42e6f16a-7773-44cc-8668-8f648bd1aa4f
requiredDataConnectors:
- connectorId: CyfirmaDigitalRiskAlertsConnector
dataTypes:
- CyfirmaSPESourceCodeAlerts_CL
query: |
// High severity - Social and Public Exposure - Source Code Exposure on Public Repositories
let timeFrame = 5m;
CyfirmaSPESourceCodeAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
AssetType=asset_type,
AssetValue=signature,
Source=source,
Impact=impact,
Recommendation=recommendation,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT',
AlertTitle=Alert_title
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
AssetType,
AssetValue,
Impact,
ProductName,
ProviderName,
AlertTitle
eventGroupingSettings:
aggregationKind: AlertPerResult
relevantTechniques:
- T1587.001
- T1606.001
- T1082
incidentConfiguration:
createIncident: true
groupingConfiguration:
matchingMethod: AllEntities
reopenClosedIncident: false
lookbackDuration: 5h
enabled: false
description: |
"This rule triggers when CYFIRMA detects source code related to internal or enterprise domains exposed on public platforms like GitHub.
Such exposure may lead to intellectual property leakage or help adversaries understand internal systems, increasing the risk of targeted attacks."
triggerOperator: gt
queryPeriod: 5m
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPESourceCodeExposureHighRule.yaml
version: 1.0.0
alertDetailsOverride:
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: ProviderName
value: ProviderName
alertDisplayNameFormat: 'CYFIRMA High Severity Alert - Source Code Exposure on Public Repositories - {{AlertTitle}} '
alertDescriptionFormat: '{{Description}} '
triggerThreshold: 0
queryFrequency: 5m
kind: Scheduled
status: Available
customDetails:
RiskScore: RiskScore
AssetType: AssetType
FirstSeen: FirstSeen
Impact: Impact
TimeGenerated: TimeGenerated
AssetValue: AssetValue
Description: Description
LastSeen: LastSeen
AlertUID: AlertUID
UID: UID
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/42e6f16a-7773-44cc-8668-8f648bd1aa4f')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/42e6f16a-7773-44cc-8668-8f648bd1aa4f')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{Description}} ",
"alertDisplayNameFormat": "CYFIRMA High Severity Alert - Source Code Exposure on Public Repositories - {{AlertTitle}} ",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "42e6f16a-7773-44cc-8668-8f648bd1aa4f",
"customDetails": {
"AlertUID": "AlertUID",
"AssetType": "AssetType",
"AssetValue": "AssetValue",
"Description": "Description",
"FirstSeen": "FirstSeen",
"Impact": "Impact",
"LastSeen": "LastSeen",
"RiskScore": "RiskScore",
"TimeGenerated": "TimeGenerated",
"UID": "UID"
},
"description": "\"This rule triggers when CYFIRMA detects source code related to internal or enterprise domains exposed on public platforms like GitHub. \nSuch exposure may lead to intellectual property leakage or help adversaries understand internal systems, increasing the risk of targeted attacks.\"\n",
"displayName": "CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories Rule",
"enabled": true,
"entityMappings": null,
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPESourceCodeExposureHighRule.yaml",
"query": "// High severity - Social and Public Exposure - Source Code Exposure on Public Repositories\nlet timeFrame = 5m;\nCyfirmaSPESourceCodeAlerts_CL\n| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())\n| extend\n Description=description,\n FirstSeen=first_seen,\n LastSeen=last_seen,\n RiskScore=risk_score,\n AlertUID=alert_uid,\n UID=uid,\n AssetType=asset_type,\n AssetValue=signature,\n Source=source,\n Impact=impact,\n Recommendation=recommendation,\n ProviderName='CYFIRMA',\n ProductName='DeCYFIR/DeTCT',\n AlertTitle=Alert_title\n| project\n TimeGenerated,\n Description,\n RiskScore,\n FirstSeen,\n LastSeen,\n AlertUID,\n UID,\n AssetType,\n AssetValue,\n Impact,\n ProductName,\n ProviderName,\n AlertTitle\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"status": "Available",
"subTechniques": [
"T1587.001",
"T1606.001"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CredentialAccess",
"Discovery",
"ResourceDevelopment"
],
"techniques": [
"T1082",
"T1587",
"T1606"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}