CYFIRMA - Medium Severity Asset based Vulnerabilities Rule Alert

Back


Id	6306f2d9-34a3-409a-850d-175b7bdd1ab1
Rulename	CYFIRMA - Medium Severity Asset based Vulnerabilities Rule Alert
Description	“This rule detects medium severity asset-based vulnerabilities from CYFIRMA’s vulnerability intelligence data. It identifies vulnerabilities with a confidence score of 50 or higher, excluding those categorized as ‘ATTACK_SURFACE_VULNERABILITY’, and generates alerts for assets that may be at risk.”
Severity	Medium
Tactics	Execution LateralMovement PrivilegeEscalation InitialAccess CredentialAccess DefenseEvasion
Techniques	T1059 T1203 T1210 T1068 T1190 T1133 T1003 T1553 T1548.002 T1021.002
Required data connectors	CyfirmaVulnerabilitiesIntelDC
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	GreaterThan
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Vulnerabilities Intel/Analytic Rules/AssetVulnerabilitiesMediumSeverityRule.yaml
Version	1.0.1
Arm template	6306f2d9-34a3-409a-850d-175b7bdd1ab1.json

KQL

// Medium severity - Asset based Vulnerabilities
let timeFrame= 5m;
CyfirmaVulnerabilities_CL
| extend parsed = parse_json(extensions)
| extend extensionKeys = bag_keys(parsed)
| mv-expand extensionKeys
| extend extensionKeyStr = tostring(extensionKeys)
| extend ext = parsed[extensionKeyStr]
| extend props = ext.properties
| extend 
    attack_complexity         = tostring(props.attack_complexity),
    cvss_score                = toreal(props.cvss_score),
    integrity_impact          = tostring(props.integrity_impact),
    impact_score              = tostring(props.impact_score),
    attack_vector             = tostring(props.attack_vector),
    privileges_required       = tostring(props.privileges_required),
    cvss_version              = tostring(props.cvss_version),
    user_interaction          = tostring(props.user_interaction),
    cvss_vector               = tostring(props.cvss_vector),
    scope                     = tostring(props.scope),
    confidentiality_impact    = tostring(props.confidentiality_impact),
    exploitability_score      = toreal(props.exploitability_score),
    products                  = tostring(props.products),
    technologies              = tostring(props.technologies),
    vendors                   = tostring(props.vendors),
    confidence_score          = toint(confidence),
    servers                   = tostring(props.servers),
    vulnerability_type        = tostring(props.vulnerability_type),
    vulnerability_category        = tostring(props.vulnerability_category),
    NetworkIPs                = tostring(props.ips),
    ProviderName              ='CYFIRMA',
    ProductName               ='DeCYFIR/DeTCT'
| summarize arg_max(
                integrity_impact,
                TimeGenerated, 
                id,
                description,
                confidence_score,
                created,
                modified,
                attack_complexity,
                cvss_score,
                impact_score,
                attack_vector,
                privileges_required,
                cvss_version,
                user_interaction,
                cvss_vector,
                scope,
                confidentiality_impact,
                exploitability_score,
                products,
                technologies,
                vendors,
                ProviderName,
                ProductName,
                servers,
                NetworkIPs,
                vulnerability_type,
                vulnerability_category
            )
    by name
| where  confidence_score >= 60 and vulnerability_category != 'ATTACK_SURFACE_VULNERABILITY' and TimeGenerated between (ago(timeFrame) .. now())
| project 
    TimeGenerated,
    name,
    confidence_score,
    integrity_impact,
    attack_complexity,
    cvss_score,
    impact_score,
    attack_vector,
    UID = id,
    description,
    created,
    modified,
    privileges_required,
    cvss_version,
    user_interaction,
    cvss_vector,
    scope,
    confidentiality_impact,
    exploitability_score,
    products,
    technologies,
    vendors,
    ProviderName,
    ProductName,
    servers,
    NetworkIPs,
    vulnerability_type,
    vulnerability_category

YAML

queryPeriod: 5m
description: |
  "This rule detects medium severity asset-based vulnerabilities from CYFIRMA's vulnerability intelligence data. 
  It identifies vulnerabilities with a confidence score of 50 or higher, excluding those categorized as 'ATTACK_SURFACE_VULNERABILITY', and generates alerts for assets that may be at risk."  
kind: Scheduled
query: |
  // Medium severity - Asset based Vulnerabilities
  let timeFrame= 5m;
  CyfirmaVulnerabilities_CL
  | extend parsed = parse_json(extensions)
  | extend extensionKeys = bag_keys(parsed)
  | mv-expand extensionKeys
  | extend extensionKeyStr = tostring(extensionKeys)
  | extend ext = parsed[extensionKeyStr]
  | extend props = ext.properties
  | extend 
      attack_complexity         = tostring(props.attack_complexity),
      cvss_score                = toreal(props.cvss_score),
      integrity_impact          = tostring(props.integrity_impact),
      impact_score              = tostring(props.impact_score),
      attack_vector             = tostring(props.attack_vector),
      privileges_required       = tostring(props.privileges_required),
      cvss_version              = tostring(props.cvss_version),
      user_interaction          = tostring(props.user_interaction),
      cvss_vector               = tostring(props.cvss_vector),
      scope                     = tostring(props.scope),
      confidentiality_impact    = tostring(props.confidentiality_impact),
      exploitability_score      = toreal(props.exploitability_score),
      products                  = tostring(props.products),
      technologies              = tostring(props.technologies),
      vendors                   = tostring(props.vendors),
      confidence_score          = toint(confidence),
      servers                   = tostring(props.servers),
      vulnerability_type        = tostring(props.vulnerability_type),
      vulnerability_category        = tostring(props.vulnerability_category),
      NetworkIPs                = tostring(props.ips),
      ProviderName              ='CYFIRMA',
      ProductName               ='DeCYFIR/DeTCT'
  | summarize arg_max(
                  integrity_impact,
                  TimeGenerated, 
                  id,
                  description,
                  confidence_score,
                  created,
                  modified,
                  attack_complexity,
                  cvss_score,
                  impact_score,
                  attack_vector,
                  privileges_required,
                  cvss_version,
                  user_interaction,
                  cvss_vector,
                  scope,
                  confidentiality_impact,
                  exploitability_score,
                  products,
                  technologies,
                  vendors,
                  ProviderName,
                  ProductName,
                  servers,
                  NetworkIPs,
                  vulnerability_type,
                  vulnerability_category
              )
      by name
  | where  confidence_score >= 60 and vulnerability_category != 'ATTACK_SURFACE_VULNERABILITY' and TimeGenerated between (ago(timeFrame) .. now())
  | project 
      TimeGenerated,
      name,
      confidence_score,
      integrity_impact,
      attack_complexity,
      cvss_score,
      impact_score,
      attack_vector,
      UID = id,
      description,
      created,
      modified,
      privileges_required,
      cvss_version,
      user_interaction,
      cvss_vector,
      scope,
      confidentiality_impact,
      exploitability_score,
      products,
      technologies,
      vendors,
      ProviderName,
      ProductName,
      servers,
      NetworkIPs,
      vulnerability_type,
      vulnerability_category  
suppressionDuration: 5m
tactics:
- Execution
- LateralMovement
- PrivilegeEscalation
- InitialAccess
- CredentialAccess
- DefenseEvasion
incidentConfiguration:
  groupingConfiguration:
    enabled: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
    reopenClosedIncident: false
  createIncident: true
alertDynamicProperties:
- alertProperty: ProductName
  value: ProductName
- alertProperty: ProviderName
  value: ProviderName
triggerOperator: GreaterThan
enabled: false
eventGroupingSettings:
  aggregationKind: AlertPerResult
suppressionEnabled: false
alertDetailsOverride: 
id: 6306f2d9-34a3-409a-850d-175b7bdd1ab1
alertDescriptionFormat: '{{description}} '
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Vulnerabilities Intel/Analytic Rules/AssetVulnerabilitiesMediumSeverityRule.yaml
triggerThreshold: 0
customDetails:
  PrivilegesRequired: privileges_required
  CVE: name
  ConfidenceScore: confidence_score
  UserInteraction: user_interaction
  CVSSScore: cvss_score
  ConfidentialImpact: confidentiality_impact
  Vendors: vendors
  Technologies: technologies
  Modified: modified
  ExploitabilityScore: exploitability_score
  TimeGenerated: TimeGenerated
  CVSSVersion: cvss_version
  IntegrityImpact: integrity_impact
  AttackComplexity: attack_complexity
  scope: scope
  ImpactScore: impact_score
  Products: products
  CVSSVector: cvss_vector
  AttackVector: attack_vector
alertDisplayNameFormat: 'CYFIRMA - Medium Severity Asset based Vulnerability Identified - {{name}} '
relevantTechniques:
- T1059
- T1203
- T1210
- T1068
- T1190
- T1133
- T1003
- T1553
- T1548.002
- T1021.002
name: CYFIRMA - Medium Severity Asset based Vulnerabilities Rule Alert
severity: Medium
requiredDataConnectors:
- dataTypes:
  - CyfirmaVulnerabilities_CL
  connectorId: CyfirmaVulnerabilitiesIntelDC
queryFrequency: 5m

ARM