Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CYFIRMA - Medium Severity Attack Surface based Vulnerabilities Rule

Back
Id4c1b282b-62f1-4783-bf40-94c44f0ae630
RulenameCYFIRMA - Medium Severity Attack Surface based Vulnerabilities Rule
Description“This rule detects medium severity attack surface-based vulnerabilities from CYFIRMA’s vulnerability intelligence data. It identifies vulnerabilities with a confidence score of 50 or higher, excluding those categorized as ‘ASSET_VULNERABILITY’, and generates alerts for assets that may be at risk.”
SeverityMedium
TacticsExecution
LateralMovement
PrivilegeEscalation
InitialAccess
CredentialAccess
DefenseEvasion
TechniquesT1059
T1203
T1210
T1068
T1190
T1133
T1003
T1553
T1548.002
T1021.002
Required data connectorsCyfirmaVulnerabilitiesIntelDC
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Vulnerabilities Intel/Analytic Rules/AttackSurfaceVulnerabilitiesMediumSeverityRule.yaml
Version1.0.0
Arm template4c1b282b-62f1-4783-bf40-94c44f0ae630.json
Deploy To Azure
// Medium severity - Attack Surface based Vulnerabilities
let timeFrame= 5m;
CyfirmaVulnerabilities_CL
| extend parsed = parse_json(extensions)
| extend extensionKeys = bag_keys(parsed)
| mv-expand extensionKeys
| extend extensionKeyStr = tostring(extensionKeys)
| extend ext = parsed[extensionKeyStr]
| extend props = ext.properties
| extend 
    attack_complexity         = tostring(props.attack_complexity),
    cvss_score                = toreal(props.cvss_score),
    integrity_impact          = tostring(props.integrity_impact),
    impact_score              = tostring(props.impact_score),
    attack_vector             = tostring(props.attack_vector),
    privileges_required       = tostring(props.privileges_required),
    cvss_version              = tostring(props.cvss_version),
    user_interaction          = tostring(props.user_interaction),
    cvss_vector               = tostring(props.cvss_vector),
    scope                     = tostring(props.scope),
    confidentiality_impact    = tostring(props.confidentiality_impact),
    exploitability_score      = toreal(props.exploitability_score),
    products                  = tostring(props.products),
    technologies              = tostring(props.technologies),
    vendors                   = tostring(props.vendors),
    confidence_score          = toint(confidence),
    servers                   = tostring(props.servers),
    vulnerability_type        = tostring(props.vulnerability_type),
    vulnerability_category        = tostring(props.vulnerability_category),
    NetworkIPs                = tostring(props.ips),
    ProviderName              ='CYFIRMA',
    ProductName               ='DeCYFIR/DeTCT'
| summarize arg_max(
                integrity_impact,
                TimeGenerated, 
                id,
                description,
                confidence_score,
                created,
                modified,
                attack_complexity,
                cvss_score,
                impact_score,
                attack_vector,
                privileges_required,
                cvss_version,
                user_interaction,
                cvss_vector,
                scope,
                confidentiality_impact,
                exploitability_score,
                products,
                technologies,
                vendors,
                ProviderName,
                ProductName,
                servers,
                NetworkIPs,
                vulnerability_type,
                vulnerability_category
            )
    by name
| where confidence_score >= 60 and vulnerability_category == 'ATTACK_SURFACE_VULNERABILITY' and TimeGenerated between (ago(timeFrame) .. now())
| project 
    TimeGenerated,
    name,
    confidence_score,
    integrity_impact,
    attack_complexity,
    cvss_score,
    impact_score,
    attack_vector,
    UID = id,
    description,
    created,
    modified,
    privileges_required,
    cvss_version,
    user_interaction,
    cvss_vector,
    scope,
    confidentiality_impact,
    exploitability_score,
    products,
    technologies,
    vendors,
    ProviderName,
    ProductName,
    servers,
    NetworkIPs,
    vulnerability_type,
    vulnerability_category
triggerThreshold: 0
severity: Medium
suppressionDuration: 5m
queryFrequency: 5m
queryPeriod: 5m
enabled: false
customDetails:
  TimeGenerated: TimeGenerated
  CVSSScore: cvss_score
  ConfidentialImpact: confidentiality_impact
  CVSSVersion: cvss_version
  ExploitabilityScore: modified
  Products: technologies
  PrivilegesRequired: privileges_required
  IntegrityImpact: integrity_impact
  Vendors: vendors
  UserInteraction: user_interaction
  AttackComplexity: attack_complexity
  ConfidenceScore: confidence_score
  CVSSVector: scope
  ImpactScore: impact_score
  CVE: name
  Modified: products
  scope: exploitability_score
  AttackVector: attack_vector
  Technologies: technologies
relevantTechniques:
- T1059
- T1203
- T1210
- T1068
- T1190
- T1133
- T1003
- T1553
- T1548.002
- T1021.002
alertDetailsOverride:
  alertDisplayNameFormat: 'CYFIRMA - Medium Severity Attack Surface based Vulnerability Identified - {{name}} '
  alertDescriptionFormat: '{{description}} '
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
triggerOperator: GreaterThan
id: 4c1b282b-62f1-4783-bf40-94c44f0ae630
suppressionEnabled: false
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 5m
    enabled: false
    matchingMethod: AllEntities
    reopenClosedIncident: false
requiredDataConnectors:
- connectorId: CyfirmaVulnerabilitiesIntelDC
  dataTypes:
  - CyfirmaVulnerabilities_CL
version: 1.0.0
name: CYFIRMA - Medium Severity Attack Surface based Vulnerabilities Rule
eventGroupingSettings:
  aggregationKind: AlertPerResult
description: |
    "This rule detects medium severity attack surface-based vulnerabilities from CYFIRMA's vulnerability intelligence data. It identifies vulnerabilities with a confidence score of 50 or higher, excluding those categorized as 'ASSET_VULNERABILITY', and generates alerts for assets that may be at risk."
query: |
  // Medium severity - Attack Surface based Vulnerabilities
  let timeFrame= 5m;
  CyfirmaVulnerabilities_CL
  | extend parsed = parse_json(extensions)
  | extend extensionKeys = bag_keys(parsed)
  | mv-expand extensionKeys
  | extend extensionKeyStr = tostring(extensionKeys)
  | extend ext = parsed[extensionKeyStr]
  | extend props = ext.properties
  | extend 
      attack_complexity         = tostring(props.attack_complexity),
      cvss_score                = toreal(props.cvss_score),
      integrity_impact          = tostring(props.integrity_impact),
      impact_score              = tostring(props.impact_score),
      attack_vector             = tostring(props.attack_vector),
      privileges_required       = tostring(props.privileges_required),
      cvss_version              = tostring(props.cvss_version),
      user_interaction          = tostring(props.user_interaction),
      cvss_vector               = tostring(props.cvss_vector),
      scope                     = tostring(props.scope),
      confidentiality_impact    = tostring(props.confidentiality_impact),
      exploitability_score      = toreal(props.exploitability_score),
      products                  = tostring(props.products),
      technologies              = tostring(props.technologies),
      vendors                   = tostring(props.vendors),
      confidence_score          = toint(confidence),
      servers                   = tostring(props.servers),
      vulnerability_type        = tostring(props.vulnerability_type),
      vulnerability_category        = tostring(props.vulnerability_category),
      NetworkIPs                = tostring(props.ips),
      ProviderName              ='CYFIRMA',
      ProductName               ='DeCYFIR/DeTCT'
  | summarize arg_max(
                  integrity_impact,
                  TimeGenerated, 
                  id,
                  description,
                  confidence_score,
                  created,
                  modified,
                  attack_complexity,
                  cvss_score,
                  impact_score,
                  attack_vector,
                  privileges_required,
                  cvss_version,
                  user_interaction,
                  cvss_vector,
                  scope,
                  confidentiality_impact,
                  exploitability_score,
                  products,
                  technologies,
                  vendors,
                  ProviderName,
                  ProductName,
                  servers,
                  NetworkIPs,
                  vulnerability_type,
                  vulnerability_category
              )
      by name
  | where confidence_score >= 60 and vulnerability_category == 'ATTACK_SURFACE_VULNERABILITY' and TimeGenerated between (ago(timeFrame) .. now())
  | project 
      TimeGenerated,
      name,
      confidence_score,
      integrity_impact,
      attack_complexity,
      cvss_score,
      impact_score,
      attack_vector,
      UID = id,
      description,
      created,
      modified,
      privileges_required,
      cvss_version,
      user_interaction,
      cvss_vector,
      scope,
      confidentiality_impact,
      exploitability_score,
      products,
      technologies,
      vendors,
      ProviderName,
      ProductName,
      servers,
      NetworkIPs,
      vulnerability_type,
      vulnerability_category  
tactics:
- Execution
- LateralMovement
- PrivilegeEscalation
- InitialAccess
- CredentialAccess
- DefenseEvasion
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Vulnerabilities Intel/Analytic Rules/AttackSurfaceVulnerabilitiesMediumSeverityRule.yaml
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4c1b282b-62f1-4783-bf40-94c44f0ae630')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4c1b282b-62f1-4783-bf40-94c44f0ae630')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{description}} ",
          "alertDisplayNameFormat": "CYFIRMA - Medium Severity Attack Surface based Vulnerability Identified - {{name}} ",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            },
            {
              "alertProperty": "ProviderName",
              "value": "ProviderName"
            }
          ]
        },
        "alertRuleTemplateName": "4c1b282b-62f1-4783-bf40-94c44f0ae630",
        "customDetails": {
          "AttackComplexity": "attack_complexity",
          "AttackVector": "attack_vector",
          "ConfidenceScore": "confidence_score",
          "ConfidentialImpact": "confidentiality_impact",
          "CVE": "name",
          "CVSSScore": "cvss_score",
          "CVSSVector": "scope",
          "CVSSVersion": "cvss_version",
          "ExploitabilityScore": "modified",
          "ImpactScore": "impact_score",
          "IntegrityImpact": "integrity_impact",
          "Modified": "products",
          "PrivilegesRequired": "privileges_required",
          "Products": "technologies",
          "scope": "exploitability_score",
          "Technologies": "technologies",
          "TimeGenerated": "TimeGenerated",
          "UserInteraction": "user_interaction",
          "Vendors": "vendors"
        },
        "description": "\"This rule detects medium severity attack surface-based vulnerabilities from CYFIRMA's vulnerability intelligence data. It identifies vulnerabilities with a confidence score of 50 or higher, excluding those categorized as 'ASSET_VULNERABILITY', and generates alerts for assets that may be at risk.\"\n",
        "displayName": "CYFIRMA - Medium Severity Attack Surface based Vulnerabilities Rule",
        "enabled": false,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5M",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Vulnerabilities Intel/Analytic Rules/AttackSurfaceVulnerabilitiesMediumSeverityRule.yaml",
        "query": "// Medium severity - Attack Surface based Vulnerabilities\nlet timeFrame= 5m;\nCyfirmaVulnerabilities_CL\n| extend parsed = parse_json(extensions)\n| extend extensionKeys = bag_keys(parsed)\n| mv-expand extensionKeys\n| extend extensionKeyStr = tostring(extensionKeys)\n| extend ext = parsed[extensionKeyStr]\n| extend props = ext.properties\n| extend \n    attack_complexity         = tostring(props.attack_complexity),\n    cvss_score                = toreal(props.cvss_score),\n    integrity_impact          = tostring(props.integrity_impact),\n    impact_score              = tostring(props.impact_score),\n    attack_vector             = tostring(props.attack_vector),\n    privileges_required       = tostring(props.privileges_required),\n    cvss_version              = tostring(props.cvss_version),\n    user_interaction          = tostring(props.user_interaction),\n    cvss_vector               = tostring(props.cvss_vector),\n    scope                     = tostring(props.scope),\n    confidentiality_impact    = tostring(props.confidentiality_impact),\n    exploitability_score      = toreal(props.exploitability_score),\n    products                  = tostring(props.products),\n    technologies              = tostring(props.technologies),\n    vendors                   = tostring(props.vendors),\n    confidence_score          = toint(confidence),\n    servers                   = tostring(props.servers),\n    vulnerability_type        = tostring(props.vulnerability_type),\n    vulnerability_category        = tostring(props.vulnerability_category),\n    NetworkIPs                = tostring(props.ips),\n    ProviderName              ='CYFIRMA',\n    ProductName               ='DeCYFIR/DeTCT'\n| summarize arg_max(\n                integrity_impact,\n                TimeGenerated, \n                id,\n                description,\n                confidence_score,\n                created,\n                modified,\n                attack_complexity,\n                cvss_score,\n                impact_score,\n                attack_vector,\n                privileges_required,\n                cvss_version,\n                user_interaction,\n                cvss_vector,\n                scope,\n                confidentiality_impact,\n                exploitability_score,\n                products,\n                technologies,\n                vendors,\n                ProviderName,\n                ProductName,\n                servers,\n                NetworkIPs,\n                vulnerability_type,\n                vulnerability_category\n            )\n    by name\n| where confidence_score >= 60 and vulnerability_category == 'ATTACK_SURFACE_VULNERABILITY' and TimeGenerated between (ago(timeFrame) .. now())\n| project \n    TimeGenerated,\n    name,\n    confidence_score,\n    integrity_impact,\n    attack_complexity,\n    cvss_score,\n    impact_score,\n    attack_vector,\n    UID = id,\n    description,\n    created,\n    modified,\n    privileges_required,\n    cvss_version,\n    user_interaction,\n    cvss_vector,\n    scope,\n    confidentiality_impact,\n    exploitability_score,\n    products,\n    technologies,\n    vendors,\n    ProviderName,\n    ProductName,\n    servers,\n    NetworkIPs,\n    vulnerability_type,\n    vulnerability_category\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "subTechniques": [
          "T1548.002",
          "T1021.002"
        ],
        "suppressionDuration": "PT5M",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "DefenseEvasion",
          "Execution",
          "InitialAccess",
          "LateralMovement",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1003",
          "T1021",
          "T1059",
          "T1068",
          "T1133",
          "T1190",
          "T1203",
          "T1210",
          "T1548",
          "T1553"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}