Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CYFIRMA - Attack Surface - Weak Certificate Exposure - Medium Rule

Back
Id5a617ff2-3e3d-44e7-b761-9f0d542ae191
RulenameCYFIRMA - Attack Surface - Weak Certificate Exposure - Medium Rule
DescriptionThis alert indicates that a weak or insecure SSL/TLS certificate has been detected on a public-facing asset monitored by Cyfirma.

Such certificates do not meet modern encryption standards and are considered insecure, especially for handling sensitive transactions.

This exposure increases the risk of man-in-the-middle attacks and loss of data integrity or confidentiality.

Immediate remediation is advised by replacing weak certificates with strong, industry-compliant ones.
SeverityMedium
TacticsDefenseEvasion
ResourceDevelopment
Reconnaissance
InitialAccess
CredentialAccess
TechniquesT1553
T1588
T1595
T1190
T1552
Required data connectorsCyfirmaAttackSurfaceAlertsConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASCertificatesMediumRule.yaml
Version1.0.0
Arm template5a617ff2-3e3d-44e7-b761-9f0d542ae191.json
Deploy To Azure
// Medium Severity Weak Certificate Exposure Detected
let timeFrame = 5m;
CyfirmaASCertificatesAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    ValidFrom=valid_from,
    ValidTo=valid_to,
    RiskScore=risk_score,
    Domain=sub_domain,
    TopDomain=top_domain,
    Protocols=protocols,
    SelfSigned=self_signed,
    AlertUID=alert_uid,
    UID=uid,
    CertificateData= cert_data,
    CertificateHash=cert_hash,
    IssuedBy=issued_by,
    IssuedTo=issued_to,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT'
| project
    TimeGenerated,
    Description,
    Domain,
    TopDomain,
    RiskScore,
    FirstSeen,
    LastSeen,
    ValidFrom,
    ValidTo,
    Protocols,
    SelfSigned,
    CertificateData,
    CertificateHash,
    IssuedBy,
    IssuedTo,
    ProviderName,
    ProductName
entityMappings:
- fieldMappings:
  - columnName: HostName
    identifier: DomainName
  entityType: DNS
- fieldMappings:
  - columnName: TopDomain
    identifier: HostName
  - columnName: Domain
    identifier: DnsDomain
  entityType: Host
triggerThreshold: 0
severity: Medium
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 5h
    enabled: false
    matchingMethod: AllEntities
    reopenClosedIncident: false
queryFrequency: 5m
status: Available
customDetails:
  TimeGenerated: TimeGenerated
  FirstSeen: FirstSeen
  RiskScore: RiskScore
  CertificateHash: CertificateHash
  Domain: Domain
  TopDomain: TopDomain
  IssuedTo: IssuedTo
  CertificateData: CertificateData
  SelfSigned: SelfSigned
  ValidFrom: ValidFrom
  ValidTo: ValidTo
  IssuedBy: IssuedBy
  Protocols: Protocols
  Description: Description
  LastSeen: LastSeen
relevantTechniques:
- T1553
- T1588
- T1595
- T1190
- T1552
alertDetailsOverride:
  alertDisplayNameFormat: CYFIRMA - Medium Severity Weak Certificate Exposure Detected for this Domain  - {{Domain}}
  alertDescriptionFormat: CYFIRMA - Medium Severity Weak Certificate Exposure Detected  - {{Description}}
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASCertificatesMediumRule.yaml
triggerOperator: gt
id: 5a617ff2-3e3d-44e7-b761-9f0d542ae191
requiredDataConnectors:
- connectorId: CyfirmaAttackSurfaceAlertsConnector
  dataTypes:
  - CyfirmaASCertificatesAlerts_CL
version: 1.0.0
name: CYFIRMA - Attack Surface - Weak Certificate Exposure - Medium Rule
eventGroupingSettings:
  aggregationKind: AlertPerResult
description: |
  'This alert indicates that a weak or insecure SSL/TLS certificate has been detected on a public-facing asset monitored by Cyfirma. 
  Such certificates do not meet modern encryption standards and are considered insecure, especially for handling sensitive transactions. 
  This exposure increases the risk of man-in-the-middle attacks and loss of data integrity or confidentiality. 
  Immediate remediation is advised by replacing weak certificates with strong, industry-compliant ones.'  
query: |
  // Medium Severity Weak Certificate Exposure Detected
  let timeFrame = 5m;
  CyfirmaASCertificatesAlerts_CL
  | where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      ValidFrom=valid_from,
      ValidTo=valid_to,
      RiskScore=risk_score,
      Domain=sub_domain,
      TopDomain=top_domain,
      Protocols=protocols,
      SelfSigned=self_signed,
      AlertUID=alert_uid,
      UID=uid,
      CertificateData= cert_data,
      CertificateHash=cert_hash,
      IssuedBy=issued_by,
      IssuedTo=issued_to,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT'
  | project
      TimeGenerated,
      Description,
      Domain,
      TopDomain,
      RiskScore,
      FirstSeen,
      LastSeen,
      ValidFrom,
      ValidTo,
      Protocols,
      SelfSigned,
      CertificateData,
      CertificateHash,
      IssuedBy,
      IssuedTo,
      ProviderName,
      ProductName  
tactics:
- DefenseEvasion
- ResourceDevelopment
- Reconnaissance
- InitialAccess
- CredentialAccess
queryPeriod: 5m
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5a617ff2-3e3d-44e7-b761-9f0d542ae191')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5a617ff2-3e3d-44e7-b761-9f0d542ae191')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "CYFIRMA - Medium Severity Weak Certificate Exposure Detected  - {{Description}}",
          "alertDisplayNameFormat": "CYFIRMA - Medium Severity Weak Certificate Exposure Detected for this Domain  - {{Domain}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            },
            {
              "alertProperty": "ProviderName",
              "value": "ProviderName"
            }
          ]
        },
        "alertRuleTemplateName": "5a617ff2-3e3d-44e7-b761-9f0d542ae191",
        "customDetails": {
          "CertificateData": "CertificateData",
          "CertificateHash": "CertificateHash",
          "Description": "Description",
          "Domain": "Domain",
          "FirstSeen": "FirstSeen",
          "IssuedBy": "IssuedBy",
          "IssuedTo": "IssuedTo",
          "LastSeen": "LastSeen",
          "Protocols": "Protocols",
          "RiskScore": "RiskScore",
          "SelfSigned": "SelfSigned",
          "TimeGenerated": "TimeGenerated",
          "TopDomain": "TopDomain",
          "ValidFrom": "ValidFrom",
          "ValidTo": "ValidTo"
        },
        "description": "'This alert indicates that a weak or insecure SSL/TLS certificate has been detected on a public-facing asset monitored by Cyfirma. \nSuch certificates do not meet modern encryption standards and are considered insecure, especially for handling sensitive transactions. \nThis exposure increases the risk of man-in-the-middle attacks and loss of data integrity or confidentiality. \nImmediate remediation is advised by replacing weak certificates with strong, industry-compliant ones.'\n",
        "displayName": "CYFIRMA - Attack Surface - Weak Certificate Exposure - Medium Rule",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "DNS",
            "fieldMappings": [
              {
                "columnName": "HostName",
                "identifier": "DomainName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "TopDomain",
                "identifier": "HostName"
              },
              {
                "columnName": "Domain",
                "identifier": "DnsDomain"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASCertificatesMediumRule.yaml",
        "query": "// Medium Severity Weak Certificate Exposure Detected\nlet timeFrame = 5m;\nCyfirmaASCertificatesAlerts_CL\n| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())\n| extend\n    Description=description,\n    FirstSeen=first_seen,\n    LastSeen=last_seen,\n    ValidFrom=valid_from,\n    ValidTo=valid_to,\n    RiskScore=risk_score,\n    Domain=sub_domain,\n    TopDomain=top_domain,\n    Protocols=protocols,\n    SelfSigned=self_signed,\n    AlertUID=alert_uid,\n    UID=uid,\n    CertificateData= cert_data,\n    CertificateHash=cert_hash,\n    IssuedBy=issued_by,\n    IssuedTo=issued_to,\n    ProviderName='CYFIRMA',\n    ProductName='DeCYFIR/DeTCT'\n| project\n    TimeGenerated,\n    Description,\n    Domain,\n    TopDomain,\n    RiskScore,\n    FirstSeen,\n    LastSeen,\n    ValidFrom,\n    ValidTo,\n    Protocols,\n    SelfSigned,\n    CertificateData,\n    CertificateHash,\n    IssuedBy,\n    IssuedTo,\n    ProviderName,\n    ProductName\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "DefenseEvasion",
          "InitialAccess",
          "Reconnaissance",
          "ResourceDevelopment"
        ],
        "techniques": [
          "T1190",
          "T1552",
          "T1553",
          "T1588",
          "T1595"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}