CYFIRMA - Medium Severity Asset based Vulnerabilities Rule Alert

Back


Id	6306f2d9-34a3-409a-850d-175b7bdd1ab1
Rulename	CYFIRMA - Medium Severity Asset based Vulnerabilities Rule Alert
Description	“This rule detects medium severity asset-based vulnerabilities from CYFIRMA’s vulnerability intelligence data. It identifies vulnerabilities with a confidence score of 50 or higher, excluding those categorized as ‘ATTACK_SURFACE_VULNERABILITY’, and generates alerts for assets that may be at risk.”
Severity	Medium
Tactics	Execution LateralMovement PrivilegeEscalation InitialAccess CredentialAccess DefenseEvasion
Techniques	T1059 T1203 T1210 T1068 T1190 T1133 T1003 T1553 T1548.002 T1021.002
Required data connectors	CyfirmaVulnerabilitiesIntelDC
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	GreaterThan
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Vulnerabilities Intel/Analytic Rules/AssetVulnerabilitiesMediumSeverityRule.yaml
Version	1.0.1
Arm template	6306f2d9-34a3-409a-850d-175b7bdd1ab1.json

KQL

// Medium severity - Asset based Vulnerabilities
let timeFrame= 5m;
CyfirmaVulnerabilities_CL
| extend parsed = parse_json(extensions)
| extend extensionKeys = bag_keys(parsed)
| mv-expand extensionKeys
| extend extensionKeyStr = tostring(extensionKeys)
| extend ext = parsed[extensionKeyStr]
| extend props = ext.properties
| extend 
    attack_complexity         = tostring(props.attack_complexity),
    cvss_score                = toreal(props.cvss_score),
    integrity_impact          = tostring(props.integrity_impact),
    impact_score              = tostring(props.impact_score),
    attack_vector             = tostring(props.attack_vector),
    privileges_required       = tostring(props.privileges_required),
    cvss_version              = tostring(props.cvss_version),
    user_interaction          = tostring(props.user_interaction),
    cvss_vector               = tostring(props.cvss_vector),
    scope                     = tostring(props.scope),
    confidentiality_impact    = tostring(props.confidentiality_impact),
    exploitability_score      = toreal(props.exploitability_score),
    products                  = tostring(props.products),
    technologies              = tostring(props.technologies),
    vendors                   = tostring(props.vendors),
    confidence_score          = toint(confidence),
    servers                   = tostring(props.servers),
    vulnerability_type        = tostring(props.vulnerability_type),
    vulnerability_category        = tostring(props.vulnerability_category),
    NetworkIPs                = tostring(props.ips),
    ProviderName              ='CYFIRMA',
    ProductName               ='DeCYFIR/DeTCT'
| summarize arg_max(
                integrity_impact,
                TimeGenerated, 
                id,
                description,
                confidence_score,
                created,
                modified,
                attack_complexity,
                cvss_score,
                impact_score,
                attack_vector,
                privileges_required,
                cvss_version,
                user_interaction,
                cvss_vector,
                scope,
                confidentiality_impact,
                exploitability_score,
                products,
                technologies,
                vendors,
                ProviderName,
                ProductName,
                servers,
                NetworkIPs,
                vulnerability_type,
                vulnerability_category
            )
    by name
| where  confidence_score >= 60 and vulnerability_category != 'ATTACK_SURFACE_VULNERABILITY' and TimeGenerated between (ago(timeFrame) .. now())
| project 
    TimeGenerated,
    name,
    confidence_score,
    integrity_impact,
    attack_complexity,
    cvss_score,
    impact_score,
    attack_vector,
    UID = id,
    description,
    created,
    modified,
    privileges_required,
    cvss_version,
    user_interaction,
    cvss_vector,
    scope,
    confidentiality_impact,
    exploitability_score,
    products,
    technologies,
    vendors,
    ProviderName,
    ProductName,
    servers,
    NetworkIPs,
    vulnerability_type,
    vulnerability_category

YAML

incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: PT5H
    enabled: false
    reopenClosedIncident: false
    matchingMethod: AllEntities
  createIncident: true
alertDescriptionFormat: '{{description}} '
id: 6306f2d9-34a3-409a-850d-175b7bdd1ab1
alertDynamicProperties:
- value: ProductName
  alertProperty: ProductName
- value: ProviderName
  alertProperty: ProviderName
description: |
  "This rule detects medium severity asset-based vulnerabilities from CYFIRMA's vulnerability intelligence data. 
  It identifies vulnerabilities with a confidence score of 50 or higher, excluding those categorized as 'ATTACK_SURFACE_VULNERABILITY', and generates alerts for assets that may be at risk."  
requiredDataConnectors:
- connectorId: CyfirmaVulnerabilitiesIntelDC
  dataTypes:
  - CyfirmaVulnerabilities_CL
enabled: false
tactics:
- Execution
- LateralMovement
- PrivilegeEscalation
- InitialAccess
- CredentialAccess
- DefenseEvasion
alertDetailsOverride: 
queryFrequency: 5m
queryPeriod: 5m
suppressionEnabled: false
triggerOperator: GreaterThan
alertDisplayNameFormat: 'CYFIRMA - Medium Severity Asset based Vulnerability Identified - {{name}} '
kind: Scheduled
query: |
  // Medium severity - Asset based Vulnerabilities
  let timeFrame= 5m;
  CyfirmaVulnerabilities_CL
  | extend parsed = parse_json(extensions)
  | extend extensionKeys = bag_keys(parsed)
  | mv-expand extensionKeys
  | extend extensionKeyStr = tostring(extensionKeys)
  | extend ext = parsed[extensionKeyStr]
  | extend props = ext.properties
  | extend 
      attack_complexity         = tostring(props.attack_complexity),
      cvss_score                = toreal(props.cvss_score),
      integrity_impact          = tostring(props.integrity_impact),
      impact_score              = tostring(props.impact_score),
      attack_vector             = tostring(props.attack_vector),
      privileges_required       = tostring(props.privileges_required),
      cvss_version              = tostring(props.cvss_version),
      user_interaction          = tostring(props.user_interaction),
      cvss_vector               = tostring(props.cvss_vector),
      scope                     = tostring(props.scope),
      confidentiality_impact    = tostring(props.confidentiality_impact),
      exploitability_score      = toreal(props.exploitability_score),
      products                  = tostring(props.products),
      technologies              = tostring(props.technologies),
      vendors                   = tostring(props.vendors),
      confidence_score          = toint(confidence),
      servers                   = tostring(props.servers),
      vulnerability_type        = tostring(props.vulnerability_type),
      vulnerability_category        = tostring(props.vulnerability_category),
      NetworkIPs                = tostring(props.ips),
      ProviderName              ='CYFIRMA',
      ProductName               ='DeCYFIR/DeTCT'
  | summarize arg_max(
                  integrity_impact,
                  TimeGenerated, 
                  id,
                  description,
                  confidence_score,
                  created,
                  modified,
                  attack_complexity,
                  cvss_score,
                  impact_score,
                  attack_vector,
                  privileges_required,
                  cvss_version,
                  user_interaction,
                  cvss_vector,
                  scope,
                  confidentiality_impact,
                  exploitability_score,
                  products,
                  technologies,
                  vendors,
                  ProviderName,
                  ProductName,
                  servers,
                  NetworkIPs,
                  vulnerability_type,
                  vulnerability_category
              )
      by name
  | where  confidence_score >= 60 and vulnerability_category != 'ATTACK_SURFACE_VULNERABILITY' and TimeGenerated between (ago(timeFrame) .. now())
  | project 
      TimeGenerated,
      name,
      confidence_score,
      integrity_impact,
      attack_complexity,
      cvss_score,
      impact_score,
      attack_vector,
      UID = id,
      description,
      created,
      modified,
      privileges_required,
      cvss_version,
      user_interaction,
      cvss_vector,
      scope,
      confidentiality_impact,
      exploitability_score,
      products,
      technologies,
      vendors,
      ProviderName,
      ProductName,
      servers,
      NetworkIPs,
      vulnerability_type,
      vulnerability_category  
customDetails:
  CVSSVector: cvss_vector
  Products: products
  scope: scope
  ConfidenceScore: confidence_score
  ImpactScore: impact_score
  ExploitabilityScore: exploitability_score
  IntegrityImpact: integrity_impact
  Vendors: vendors
  CVSSScore: cvss_score
  AttackComplexity: attack_complexity
  ConfidentialImpact: confidentiality_impact
  CVE: name
  CVSSVersion: cvss_version
  Modified: modified
  TimeGenerated: TimeGenerated
  PrivilegesRequired: privileges_required
  UserInteraction: user_interaction
  AttackVector: attack_vector
  Technologies: technologies
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Vulnerabilities Intel/Analytic Rules/AssetVulnerabilitiesMediumSeverityRule.yaml
version: 1.0.1
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1059
- T1203
- T1210
- T1068
- T1190
- T1133
- T1003
- T1553
- T1548.002
- T1021.002
suppressionDuration: 5m
severity: Medium
name: CYFIRMA - Medium Severity Asset based Vulnerabilities Rule Alert
triggerThreshold: 0

ARM