Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CYFIRMA - Medium Severity Asset based Vulnerabilities Rule Alert

Back
Id6306f2d9-34a3-409a-850d-175b7bdd1ab1
RulenameCYFIRMA - Medium Severity Asset based Vulnerabilities Rule Alert
Description“This rule detects medium severity asset-based vulnerabilities from CYFIRMA’s vulnerability intelligence data.

It identifies vulnerabilities with a confidence score of 50 or higher, excluding those categorized as ‘ATTACK_SURFACE_VULNERABILITY’, and generates alerts for assets that may be at risk.”
SeverityMedium
TacticsExecution
LateralMovement
PrivilegeEscalation
InitialAccess
CredentialAccess
DefenseEvasion
TechniquesT1059
T1203
T1210
T1068
T1190
T1133
T1003
T1553
T1548.002
T1021.002
Required data connectorsCyfirmaVulnerabilitiesIntelDC
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Vulnerabilities Intel/Analytic Rules/AssetVulnerabilitiesMediumSeverityRule.yaml
Version1.0.0
Arm template6306f2d9-34a3-409a-850d-175b7bdd1ab1.json
Deploy To Azure
// Medium severity - Asset based Vulnerabilities
let timeFrame= 5m;
CyfirmaVulnerabilities_CL
| extend parsed = parse_json(extensions)
| extend extensionKeys = bag_keys(parsed)
| mv-expand extensionKeys
| extend extensionKeyStr = tostring(extensionKeys)
| extend ext = parsed[extensionKeyStr]
| extend props = ext.properties
| extend 
    attack_complexity         = tostring(props.attack_complexity),
    cvss_score                = toreal(props.cvss_score),
    integrity_impact          = tostring(props.integrity_impact),
    impact_score              = tostring(props.impact_score),
    attack_vector             = tostring(props.attack_vector),
    privileges_required       = tostring(props.privileges_required),
    cvss_version              = tostring(props.cvss_version),
    user_interaction          = tostring(props.user_interaction),
    cvss_vector               = tostring(props.cvss_vector),
    scope                     = tostring(props.scope),
    confidentiality_impact    = tostring(props.confidentiality_impact),
    exploitability_score      = toreal(props.exploitability_score),
    products                  = tostring(props.products),
    technologies              = tostring(props.technologies),
    vendors                   = tostring(props.vendors),
    confidence_score          = toint(confidence),
    servers                   = tostring(props.servers),
    vulnerability_type        = tostring(props.vulnerability_type),
    vulnerability_category        = tostring(props.vulnerability_category),
    NetworkIPs                = tostring(props.ips),
    ProviderName              ='CYFIRMA',
    ProductName               ='DeCYFIR/DeTCT'
| summarize arg_max(
                integrity_impact,
                TimeGenerated, 
                id,
                description,
                confidence_score,
                created,
                modified,
                attack_complexity,
                cvss_score,
                impact_score,
                attack_vector,
                privileges_required,
                cvss_version,
                user_interaction,
                cvss_vector,
                scope,
                confidentiality_impact,
                exploitability_score,
                products,
                technologies,
                vendors,
                ProviderName,
                ProductName,
                servers,
                NetworkIPs,
                vulnerability_type,
                vulnerability_category
            )
    by name
| where  confidence_score >= 60 and vulnerability_category != 'ATTACK_SURFACE_VULNERABILITY' and TimeGenerated between (ago(timeFrame) .. now())
| project 
    TimeGenerated,
    name,
    confidence_score,
    integrity_impact,
    attack_complexity,
    cvss_score,
    impact_score,
    attack_vector,
    UID = id,
    description,
    created,
    modified,
    privileges_required,
    cvss_version,
    user_interaction,
    cvss_vector,
    scope,
    confidentiality_impact,
    exploitability_score,
    products,
    technologies,
    vendors,
    ProviderName,
    ProductName,
    servers,
    NetworkIPs,
    vulnerability_type,
    vulnerability_category
tactics:
- Execution
- LateralMovement
- PrivilegeEscalation
- InitialAccess
- CredentialAccess
- DefenseEvasion
enabled: false
id: 6306f2d9-34a3-409a-850d-175b7bdd1ab1
requiredDataConnectors:
- connectorId: CyfirmaVulnerabilitiesIntelDC
  dataTypes:
  - CyfirmaVulnerabilities_CL
query: |
  // Medium severity - Asset based Vulnerabilities
  let timeFrame= 5m;
  CyfirmaVulnerabilities_CL
  | extend parsed = parse_json(extensions)
  | extend extensionKeys = bag_keys(parsed)
  | mv-expand extensionKeys
  | extend extensionKeyStr = tostring(extensionKeys)
  | extend ext = parsed[extensionKeyStr]
  | extend props = ext.properties
  | extend 
      attack_complexity         = tostring(props.attack_complexity),
      cvss_score                = toreal(props.cvss_score),
      integrity_impact          = tostring(props.integrity_impact),
      impact_score              = tostring(props.impact_score),
      attack_vector             = tostring(props.attack_vector),
      privileges_required       = tostring(props.privileges_required),
      cvss_version              = tostring(props.cvss_version),
      user_interaction          = tostring(props.user_interaction),
      cvss_vector               = tostring(props.cvss_vector),
      scope                     = tostring(props.scope),
      confidentiality_impact    = tostring(props.confidentiality_impact),
      exploitability_score      = toreal(props.exploitability_score),
      products                  = tostring(props.products),
      technologies              = tostring(props.technologies),
      vendors                   = tostring(props.vendors),
      confidence_score          = toint(confidence),
      servers                   = tostring(props.servers),
      vulnerability_type        = tostring(props.vulnerability_type),
      vulnerability_category        = tostring(props.vulnerability_category),
      NetworkIPs                = tostring(props.ips),
      ProviderName              ='CYFIRMA',
      ProductName               ='DeCYFIR/DeTCT'
  | summarize arg_max(
                  integrity_impact,
                  TimeGenerated, 
                  id,
                  description,
                  confidence_score,
                  created,
                  modified,
                  attack_complexity,
                  cvss_score,
                  impact_score,
                  attack_vector,
                  privileges_required,
                  cvss_version,
                  user_interaction,
                  cvss_vector,
                  scope,
                  confidentiality_impact,
                  exploitability_score,
                  products,
                  technologies,
                  vendors,
                  ProviderName,
                  ProductName,
                  servers,
                  NetworkIPs,
                  vulnerability_type,
                  vulnerability_category
              )
      by name
  | where  confidence_score >= 60 and vulnerability_category != 'ATTACK_SURFACE_VULNERABILITY' and TimeGenerated between (ago(timeFrame) .. now())
  | project 
      TimeGenerated,
      name,
      confidence_score,
      integrity_impact,
      attack_complexity,
      cvss_score,
      impact_score,
      attack_vector,
      UID = id,
      description,
      created,
      modified,
      privileges_required,
      cvss_version,
      user_interaction,
      cvss_vector,
      scope,
      confidentiality_impact,
      exploitability_score,
      products,
      technologies,
      vendors,
      ProviderName,
      ProductName,
      servers,
      NetworkIPs,
      vulnerability_type,
      vulnerability_category  
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1059
- T1203
- T1210
- T1068
- T1190
- T1133
- T1003
- T1553
- T1548.002
- T1021.002
name: CYFIRMA - Medium Severity Asset based Vulnerabilities Rule Alert
description: |
  "This rule detects medium severity asset-based vulnerabilities from CYFIRMA's vulnerability intelligence data. 
  It identifies vulnerabilities with a confidence score of 50 or higher, excluding those categorized as 'ATTACK_SURFACE_VULNERABILITY', and generates alerts for assets that may be at risk."  
triggerOperator: GreaterThan
queryPeriod: 5m
alertDisplayNameFormat: 'CYFIRMA - Medium Severity Asset based Vulnerability Identified - {{name}} '
suppressionDuration: 5m
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Vulnerabilities Intel/Analytic Rules/AssetVulnerabilitiesMediumSeverityRule.yaml
version: 1.0.0
alertDetailsOverride: 
triggerThreshold: 0
suppressionEnabled: false
alertDynamicProperties:
- alertProperty: ProductName
  value: ProductName
- alertProperty: ProviderName
  value: ProviderName
alertDescriptionFormat: '{{description}} '
queryFrequency: 5m
kind: Scheduled
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    reopenClosedIncident: false
    lookbackDuration: 5m
    enabled: false
customDetails:
  Modified: modified
  PrivilegesRequired: privileges_required
  ConfidenceScore: confidence_score
  TimeGenerated: TimeGenerated
  CVSSVersion: cvss_version
  CVSSScore: cvss_score
  ImpactScore: impact_score
  AttackVector: attack_vector
  scope: scope
  AttackComplexity: attack_complexity
  Technologies: technologies
  CVE: name
  ExploitabilityScore: exploitability_score
  Products: products
  IntegrityImpact: integrity_impact
  ConfidentialImpact: confidentiality_impact
  Vendors: vendors
  CVSSVector: cvss_vector
  UserInteraction: user_interaction
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6306f2d9-34a3-409a-850d-175b7bdd1ab1')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6306f2d9-34a3-409a-850d-175b7bdd1ab1')]",
      "properties": {
        "alertDescriptionFormat": "{{description}} ",
        "alertDetailsOverride": null,
        "alertDisplayNameFormat": "CYFIRMA - Medium Severity Asset based Vulnerability Identified - {{name}} ",
        "alertDynamicProperties": [
          {
            "alertProperty": "ProductName",
            "value": "ProductName"
          },
          {
            "alertProperty": "ProviderName",
            "value": "ProviderName"
          }
        ],
        "alertRuleTemplateName": "6306f2d9-34a3-409a-850d-175b7bdd1ab1",
        "customDetails": {
          "AttackComplexity": "attack_complexity",
          "AttackVector": "attack_vector",
          "ConfidenceScore": "confidence_score",
          "ConfidentialImpact": "confidentiality_impact",
          "CVE": "name",
          "CVSSScore": "cvss_score",
          "CVSSVector": "cvss_vector",
          "CVSSVersion": "cvss_version",
          "ExploitabilityScore": "exploitability_score",
          "ImpactScore": "impact_score",
          "IntegrityImpact": "integrity_impact",
          "Modified": "modified",
          "PrivilegesRequired": "privileges_required",
          "Products": "products",
          "scope": "scope",
          "Technologies": "technologies",
          "TimeGenerated": "TimeGenerated",
          "UserInteraction": "user_interaction",
          "Vendors": "vendors"
        },
        "description": "\"This rule detects medium severity asset-based vulnerabilities from CYFIRMA's vulnerability intelligence data. \nIt identifies vulnerabilities with a confidence score of 50 or higher, excluding those categorized as 'ATTACK_SURFACE_VULNERABILITY', and generates alerts for assets that may be at risk.\"\n",
        "displayName": "CYFIRMA - Medium Severity Asset based Vulnerabilities Rule Alert",
        "enabled": false,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5M",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Vulnerabilities Intel/Analytic Rules/AssetVulnerabilitiesMediumSeverityRule.yaml",
        "query": "// Medium severity - Asset based Vulnerabilities\nlet timeFrame= 5m;\nCyfirmaVulnerabilities_CL\n| extend parsed = parse_json(extensions)\n| extend extensionKeys = bag_keys(parsed)\n| mv-expand extensionKeys\n| extend extensionKeyStr = tostring(extensionKeys)\n| extend ext = parsed[extensionKeyStr]\n| extend props = ext.properties\n| extend \n    attack_complexity         = tostring(props.attack_complexity),\n    cvss_score                = toreal(props.cvss_score),\n    integrity_impact          = tostring(props.integrity_impact),\n    impact_score              = tostring(props.impact_score),\n    attack_vector             = tostring(props.attack_vector),\n    privileges_required       = tostring(props.privileges_required),\n    cvss_version              = tostring(props.cvss_version),\n    user_interaction          = tostring(props.user_interaction),\n    cvss_vector               = tostring(props.cvss_vector),\n    scope                     = tostring(props.scope),\n    confidentiality_impact    = tostring(props.confidentiality_impact),\n    exploitability_score      = toreal(props.exploitability_score),\n    products                  = tostring(props.products),\n    technologies              = tostring(props.technologies),\n    vendors                   = tostring(props.vendors),\n    confidence_score          = toint(confidence),\n    servers                   = tostring(props.servers),\n    vulnerability_type        = tostring(props.vulnerability_type),\n    vulnerability_category        = tostring(props.vulnerability_category),\n    NetworkIPs                = tostring(props.ips),\n    ProviderName              ='CYFIRMA',\n    ProductName               ='DeCYFIR/DeTCT'\n| summarize arg_max(\n                integrity_impact,\n                TimeGenerated, \n                id,\n                description,\n                confidence_score,\n                created,\n                modified,\n                attack_complexity,\n                cvss_score,\n                impact_score,\n                attack_vector,\n                privileges_required,\n                cvss_version,\n                user_interaction,\n                cvss_vector,\n                scope,\n                confidentiality_impact,\n                exploitability_score,\n                products,\n                technologies,\n                vendors,\n                ProviderName,\n                ProductName,\n                servers,\n                NetworkIPs,\n                vulnerability_type,\n                vulnerability_category\n            )\n    by name\n| where  confidence_score >= 60 and vulnerability_category != 'ATTACK_SURFACE_VULNERABILITY' and TimeGenerated between (ago(timeFrame) .. now())\n| project \n    TimeGenerated,\n    name,\n    confidence_score,\n    integrity_impact,\n    attack_complexity,\n    cvss_score,\n    impact_score,\n    attack_vector,\n    UID = id,\n    description,\n    created,\n    modified,\n    privileges_required,\n    cvss_version,\n    user_interaction,\n    cvss_vector,\n    scope,\n    confidentiality_impact,\n    exploitability_score,\n    products,\n    technologies,\n    vendors,\n    ProviderName,\n    ProductName,\n    servers,\n    NetworkIPs,\n    vulnerability_type,\n    vulnerability_category\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "subTechniques": [
          "T1548.002",
          "T1021.002"
        ],
        "suppressionDuration": "PT5M",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "DefenseEvasion",
          "Execution",
          "InitialAccess",
          "LateralMovement",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1003",
          "T1021",
          "T1059",
          "T1068",
          "T1133",
          "T1190",
          "T1203",
          "T1210",
          "T1548",
          "T1553"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}