CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories Rule

// High severity - Social and Public Exposure - Source Code Exposure on Public Repositories
let timeFrame = 5m;
CyfirmaSPESourceCodeAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=signature,
    Source=source,
    Impact=impact,
    Recommendation=recommendation,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT',
    AlertTitle=Alert_title
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Impact,
    ProductName,
    ProviderName,
    AlertTitle

customDetails:
  FirstSeen: FirstSeen
  TimeGenerated: TimeGenerated
  RiskScore: RiskScore
  UID: UID
  Description: Description
  AlertUID: AlertUID
  Impact: Impact
  LastSeen: LastSeen
  AssetValue: AssetValue
  AssetType: AssetType
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPESourceCodeExposureHighRule.yaml
id: 42e6f16a-7773-44cc-8668-8f648bd1aa4f
requiredDataConnectors:
- dataTypes:
  - CyfirmaSPESourceCodeAlerts_CL
  connectorId: CyfirmaDigitalRiskAlertsConnector
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    enabled: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
  createIncident: true
relevantTechniques:
- T1587.001
- T1606.001
- T1082
kind: Scheduled
name: CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories Rule
query: |
  // High severity - Social and Public Exposure - Source Code Exposure on Public Repositories
  let timeFrame = 5m;
  CyfirmaSPESourceCodeAlerts_CL
  | where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=signature,
      Source=source,
      Impact=impact,
      Recommendation=recommendation,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT',
      AlertTitle=Alert_title
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Impact,
      ProductName,
      ProviderName,
      AlertTitle  
tactics:
- ResourceDevelopment
- CredentialAccess
- Discovery
severity: High
queryFrequency: 5m
description: |
  "This rule triggers when CYFIRMA detects source code related to internal or enterprise domains exposed on public platforms like GitHub. 
  Such exposure may lead to intellectual property leakage or help adversaries understand internal systems, increasing the risk of targeted attacks."  
alertDetailsOverride:
  alertDisplayNameFormat: 'CYFIRMA High Severity Alert - Source Code Exposure on Public Repositories - {{AlertTitle}} '
  alertDescriptionFormat: '{{Description}} '
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
triggerThreshold: 0
triggerOperator: gt
version: 1.0.1
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryPeriod: 5m
status: Available