CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories Rule
| Id | 42e6f16a-7773-44cc-8668-8f648bd1aa4f |
| Rulename | CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories Rule |
| Description | “This rule triggers when CYFIRMA detects source code related to internal or enterprise domains exposed on public platforms like GitHub. Such exposure may lead to intellectual property leakage or help adversaries understand internal systems, increasing the risk of targeted attacks.” |
| Severity | High |
| Tactics | ResourceDevelopment CredentialAccess Discovery |
| Techniques | T1587.001 T1606.001 T1082 |
| Required data connectors | CyfirmaDigitalRiskAlertsConnector |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPESourceCodeExposureHighRule.yaml |
| Version | 1.0.1 |
| Arm template | 42e6f16a-7773-44cc-8668-8f648bd1aa4f.json |
// High severity - Social and Public Exposure - Source Code Exposure on Public Repositories
let timeFrame = 5m;
CyfirmaSPESourceCodeAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
AssetType=asset_type,
AssetValue=signature,
Source=source,
Impact=impact,
Recommendation=recommendation,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT',
AlertTitle=Alert_title
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
AssetType,
AssetValue,
Impact,
ProductName,
ProviderName,
AlertTitle
kind: Scheduled
customDetails:
AssetType: AssetType
UID: UID
AssetValue: AssetValue
Description: Description
RiskScore: RiskScore
TimeGenerated: TimeGenerated
AlertUID: AlertUID
Impact: Impact
FirstSeen: FirstSeen
LastSeen: LastSeen
alertDetailsOverride:
alertDisplayNameFormat: 'CYFIRMA High Severity Alert - Source Code Exposure on Public Repositories - {{AlertTitle}} '
alertDescriptionFormat: '{{Description}} '
alertDynamicProperties:
- value: ProductName
alertProperty: ProductName
- value: ProviderName
alertProperty: ProviderName
description: |
"This rule triggers when CYFIRMA detects source code related to internal or enterprise domains exposed on public platforms like GitHub.
Such exposure may lead to intellectual property leakage or help adversaries understand internal systems, increasing the risk of targeted attacks."
severity: High
queryFrequency: 5m
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
matchingMethod: AllEntities
lookbackDuration: PT5H
enabled: false
createIncident: true
triggerThreshold: 0
relevantTechniques:
- T1587.001
- T1606.001
- T1082
eventGroupingSettings:
aggregationKind: AlertPerResult
status: Available
version: 1.0.1
name: CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories Rule
id: 42e6f16a-7773-44cc-8668-8f648bd1aa4f
query: |
// High severity - Social and Public Exposure - Source Code Exposure on Public Repositories
let timeFrame = 5m;
CyfirmaSPESourceCodeAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
AssetType=asset_type,
AssetValue=signature,
Source=source,
Impact=impact,
Recommendation=recommendation,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT',
AlertTitle=Alert_title
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
AssetType,
AssetValue,
Impact,
ProductName,
ProviderName,
AlertTitle
requiredDataConnectors:
- dataTypes:
- CyfirmaSPESourceCodeAlerts_CL
connectorId: CyfirmaDigitalRiskAlertsConnector
tactics:
- ResourceDevelopment
- CredentialAccess
- Discovery
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPESourceCodeExposureHighRule.yaml
queryPeriod: 5m
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/42e6f16a-7773-44cc-8668-8f648bd1aa4f')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/42e6f16a-7773-44cc-8668-8f648bd1aa4f')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{Description}} ",
"alertDisplayNameFormat": "CYFIRMA High Severity Alert - Source Code Exposure on Public Repositories - {{AlertTitle}} ",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "42e6f16a-7773-44cc-8668-8f648bd1aa4f",
"customDetails": {
"AlertUID": "AlertUID",
"AssetType": "AssetType",
"AssetValue": "AssetValue",
"Description": "Description",
"FirstSeen": "FirstSeen",
"Impact": "Impact",
"LastSeen": "LastSeen",
"RiskScore": "RiskScore",
"TimeGenerated": "TimeGenerated",
"UID": "UID"
},
"description": "\"This rule triggers when CYFIRMA detects source code related to internal or enterprise domains exposed on public platforms like GitHub. \nSuch exposure may lead to intellectual property leakage or help adversaries understand internal systems, increasing the risk of targeted attacks.\"\n",
"displayName": "CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories Rule",
"enabled": true,
"entityMappings": null,
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPESourceCodeExposureHighRule.yaml",
"query": "// High severity - Social and Public Exposure - Source Code Exposure on Public Repositories\nlet timeFrame = 5m;\nCyfirmaSPESourceCodeAlerts_CL\n| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())\n| extend\n Description=description,\n FirstSeen=first_seen,\n LastSeen=last_seen,\n RiskScore=risk_score,\n AlertUID=alert_uid,\n UID=uid,\n AssetType=asset_type,\n AssetValue=signature,\n Source=source,\n Impact=impact,\n Recommendation=recommendation,\n ProviderName='CYFIRMA',\n ProductName='DeCYFIR/DeTCT',\n AlertTitle=Alert_title\n| project\n TimeGenerated,\n Description,\n RiskScore,\n FirstSeen,\n LastSeen,\n AlertUID,\n UID,\n AssetType,\n AssetValue,\n Impact,\n ProductName,\n ProviderName,\n AlertTitle\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"status": "Available",
"subTechniques": [
"T1587.001",
"T1606.001"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CredentialAccess",
"Discovery",
"ResourceDevelopment"
],
"techniques": [
"T1082",
"T1587",
"T1606"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}