CYFIRMA - Attack Surface - Weak Certificate Exposure - Medium Rule
| Id | 5a617ff2-3e3d-44e7-b761-9f0d542ae191 |
| Rulename | CYFIRMA - Attack Surface - Weak Certificate Exposure - Medium Rule |
| Description | This alert indicates that a weak or insecure SSL/TLS certificate has been detected on a public-facing asset monitored by Cyfirma. Such certificates do not meet modern encryption standards and are considered insecure, especially for handling sensitive transactions. This exposure increases the risk of man-in-the-middle attacks and loss of data integrity or confidentiality. Immediate remediation is advised by replacing weak certificates with strong, industry-compliant ones. |
| Severity | Medium |
| Tactics | DefenseEvasion ResourceDevelopment Reconnaissance InitialAccess CredentialAccess |
| Techniques | T1553 T1588 T1595 T1190 T1552 |
| Required data connectors | CyfirmaAttackSurfaceAlertsConnector |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASCertificatesMediumRule.yaml |
| Version | 1.0.1 |
| Arm template | 5a617ff2-3e3d-44e7-b761-9f0d542ae191.json |
// Medium Severity Weak Certificate Exposure Detected
let timeFrame = 5m;
CyfirmaASCertificatesAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
ValidFrom=valid_from,
ValidTo=valid_to,
RiskScore=risk_score,
Domain=sub_domain,
TopDomain=top_domain,
Protocols=protocols,
SelfSigned=self_signed,
AlertUID=alert_uid,
UID=uid,
CertificateData= cert_data,
CertificateHash=cert_hash,
IssuedBy=issued_by,
IssuedTo=issued_to,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT'
| project
TimeGenerated,
Description,
Domain,
TopDomain,
RiskScore,
FirstSeen,
LastSeen,
ValidFrom,
ValidTo,
Protocols,
SelfSigned,
CertificateData,
CertificateHash,
IssuedBy,
IssuedTo,
ProviderName,
ProductName
customDetails:
ValidFrom: ValidFrom
RiskScore: RiskScore
ValidTo: ValidTo
IssuedBy: IssuedBy
FirstSeen: FirstSeen
CertificateHash: CertificateHash
LastSeen: LastSeen
SelfSigned: SelfSigned
IssuedTo: IssuedTo
Description: Description
Protocols: Protocols
Domain: Domain
CertificateData: CertificateData
TopDomain: TopDomain
TimeGenerated: TimeGenerated
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASCertificatesMediumRule.yaml
id: 5a617ff2-3e3d-44e7-b761-9f0d542ae191
requiredDataConnectors:
- dataTypes:
- CyfirmaASCertificatesAlerts_CL
connectorId: CyfirmaAttackSurfaceAlertsConnector
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
enabled: false
matchingMethod: AllEntities
lookbackDuration: PT5H
createIncident: true
relevantTechniques:
- T1553
- T1588
- T1595
- T1190
- T1552
kind: Scheduled
name: CYFIRMA - Attack Surface - Weak Certificate Exposure - Medium Rule
query: |
// Medium Severity Weak Certificate Exposure Detected
let timeFrame = 5m;
CyfirmaASCertificatesAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
ValidFrom=valid_from,
ValidTo=valid_to,
RiskScore=risk_score,
Domain=sub_domain,
TopDomain=top_domain,
Protocols=protocols,
SelfSigned=self_signed,
AlertUID=alert_uid,
UID=uid,
CertificateData= cert_data,
CertificateHash=cert_hash,
IssuedBy=issued_by,
IssuedTo=issued_to,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT'
| project
TimeGenerated,
Description,
Domain,
TopDomain,
RiskScore,
FirstSeen,
LastSeen,
ValidFrom,
ValidTo,
Protocols,
SelfSigned,
CertificateData,
CertificateHash,
IssuedBy,
IssuedTo,
ProviderName,
ProductName
tactics:
- DefenseEvasion
- ResourceDevelopment
- Reconnaissance
- InitialAccess
- CredentialAccess
severity: Medium
entityMappings:
- fieldMappings:
- identifier: DomainName
columnName: HostName
entityType: DNS
- fieldMappings:
- identifier: HostName
columnName: TopDomain
- identifier: DnsDomain
columnName: Domain
entityType: Host
queryFrequency: 5m
description: |
'This alert indicates that a weak or insecure SSL/TLS certificate has been detected on a public-facing asset monitored by Cyfirma.
Such certificates do not meet modern encryption standards and are considered insecure, especially for handling sensitive transactions.
This exposure increases the risk of man-in-the-middle attacks and loss of data integrity or confidentiality.
Immediate remediation is advised by replacing weak certificates with strong, industry-compliant ones.'
alertDetailsOverride:
alertDisplayNameFormat: CYFIRMA - Medium Severity Weak Certificate Exposure Detected for this Domain - {{Domain}}
alertDescriptionFormat: CYFIRMA - Medium Severity Weak Certificate Exposure Detected - {{Description}}
alertDynamicProperties:
- value: ProductName
alertProperty: ProductName
- value: ProviderName
alertProperty: ProviderName
triggerThreshold: 0
triggerOperator: gt
version: 1.0.1
eventGroupingSettings:
aggregationKind: AlertPerResult
queryPeriod: 5m
status: Available