CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories Rule

// High severity - Social and Public Exposure - Source Code Exposure on Public Repositories
let timeFrame = 5m;
CyfirmaSPESourceCodeAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=signature,
    Source=source,
    Impact=impact,
    Recommendation=recommendation,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT',
    AlertTitle=Alert_title
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Impact,
    ProductName,
    ProviderName,
    AlertTitle

name: CYFIRMA - Social and Public Exposure - Source Code Exposure on Public Repositories Rule
alertDetailsOverride:
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
  alertDisplayNameFormat: 'CYFIRMA High Severity Alert - Source Code Exposure on Public Repositories - {{AlertTitle}} '
  alertDescriptionFormat: '{{Description}} '
version: 1.0.1
triggerThreshold: 0
id: 42e6f16a-7773-44cc-8668-8f648bd1aa4f
triggerOperator: gt
query: |
  // High severity - Social and Public Exposure - Source Code Exposure on Public Repositories
  let timeFrame = 5m;
  CyfirmaSPESourceCodeAlerts_CL
  | where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=signature,
      Source=source,
      Impact=impact,
      Recommendation=recommendation,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT',
      AlertTitle=Alert_title
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Impact,
      ProductName,
      ProviderName,
      AlertTitle  
description: |
  "This rule triggers when CYFIRMA detects source code related to internal or enterprise domains exposed on public platforms like GitHub. 
  Such exposure may lead to intellectual property leakage or help adversaries understand internal systems, increasing the risk of targeted attacks."  
kind: Scheduled
queryFrequency: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPESourceCodeExposureHighRule.yaml
severity: High
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: PT5H
    reopenClosedIncident: false
    matchingMethod: AllEntities
    enabled: false
queryPeriod: 5m
requiredDataConnectors:
- dataTypes:
  - CyfirmaSPESourceCodeAlerts_CL
  connectorId: CyfirmaDigitalRiskAlertsConnector
status: Available
customDetails:
  TimeGenerated: TimeGenerated
  UID: UID
  AlertUID: AlertUID
  LastSeen: LastSeen
  Impact: Impact
  Description: Description
  FirstSeen: FirstSeen
  AssetType: AssetType
  AssetValue: AssetValue
  RiskScore: RiskScore
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1587.001
- T1606.001
- T1082
tactics:
- ResourceDevelopment
- CredentialAccess
- Discovery