CYFIRMA - Attack Surface - Cloud Weakness High Rule
| Id | 87cd8b10-90f6-4967-a4a7-2142e848ec8f |
| Rulename | CYFIRMA - Attack Surface - Cloud Weakness High Rule |
| Description | “This rule detects cloud storage buckets (e.g., AWS S3) that are publicly accessible without authentication. Such misconfigurations can lead to data exfiltration, compliance violations, and reputational damage. The detection is based on Cyfirma’s Attack Surface Intelligence.” |
| Severity | High |
| Tactics | InitialAccess Collection Discovery Exfiltration |
| Techniques | T1087 T1087.004 |
| Required data connectors | CyfirmaAttackSurfaceAlertsConnector |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASCloudWeaknessHighRule.yaml |
| Version | 1.0.0 |
| Arm template | 87cd8b10-90f6-4967-a4a7-2142e848ec8f.json |
// High Severity - Attack Surface - Cloud Weakness - Unauthorized Public Cloud Storage Exposure Detected
let timeFrame = 5m;
CyfirmaASCloudWeaknessAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
Domain=asset_name,
AlertUID=alert_uid,
UID=uid,
Source=source,
SourceType=source_type,
CreatedDate=created_date,
Impact=impact,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT'
| project
TimeGenerated,
Description,
Domain,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
Source,
SourceType,
CreatedDate,
Impact,
ProviderName,
ProductName
entityMappings:
- fieldMappings:
- columnName: Domain
identifier: DomainName
entityType: DNS
triggerThreshold: 0
severity: High
incidentConfiguration:
createIncident: true
groupingConfiguration:
lookbackDuration: 5h
enabled: false
matchingMethod: AllEntities
reopenClosedIncident: false
queryFrequency: 5m
status: Available
customDetails:
CreatedDate: CreatedDate
TimeGenerated: TimeGenerated
LastSeen: LastSeen
Impact: Impact
RiskScore: RiskScore
SourceType: SourceType
FirstSeen: FirstSeen
Source: Source
UID: UID
AlertUID: AlertUID
relevantTechniques:
- T1087
- T1087.004
alertDetailsOverride:
alertDisplayNameFormat: 'CYFIRMA - High Severity Alert - Unauthorized Public Cloud Storage Exposure Detected - Domain: {{Domain}} '
alertDescriptionFormat: 'CYFIRMA - High Severity Alert - Unauthorized Public Cloud Storage Exposure Detected - {{Description}} '
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: ProviderName
value: ProviderName
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASCloudWeaknessHighRule.yaml
triggerOperator: gt
id: 87cd8b10-90f6-4967-a4a7-2142e848ec8f
requiredDataConnectors:
- connectorId: CyfirmaAttackSurfaceAlertsConnector
dataTypes:
- CyfirmaASCloudWeaknessAlerts_CL
version: 1.0.0
name: CYFIRMA - Attack Surface - Cloud Weakness High Rule
eventGroupingSettings:
aggregationKind: AlertPerResult
description: |
"This rule detects cloud storage buckets (e.g., AWS S3) that are publicly accessible without authentication.
Such misconfigurations can lead to data exfiltration, compliance violations, and reputational damage.
The detection is based on Cyfirma's Attack Surface Intelligence."
query: |
// High Severity - Attack Surface - Cloud Weakness - Unauthorized Public Cloud Storage Exposure Detected
let timeFrame = 5m;
CyfirmaASCloudWeaknessAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
Domain=asset_name,
AlertUID=alert_uid,
UID=uid,
Source=source,
SourceType=source_type,
CreatedDate=created_date,
Impact=impact,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT'
| project
TimeGenerated,
Description,
Domain,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
Source,
SourceType,
CreatedDate,
Impact,
ProviderName,
ProductName
tactics:
- InitialAccess
- Collection
- Discovery
- Exfiltration
queryPeriod: 5m
kind: Scheduled
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/87cd8b10-90f6-4967-a4a7-2142e848ec8f')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/87cd8b10-90f6-4967-a4a7-2142e848ec8f')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "CYFIRMA - High Severity Alert - Unauthorized Public Cloud Storage Exposure Detected - {{Description}} ",
"alertDisplayNameFormat": "CYFIRMA - High Severity Alert - Unauthorized Public Cloud Storage Exposure Detected - Domain: {{Domain}} ",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "87cd8b10-90f6-4967-a4a7-2142e848ec8f",
"customDetails": {
"AlertUID": "AlertUID",
"CreatedDate": "CreatedDate",
"FirstSeen": "FirstSeen",
"Impact": "Impact",
"LastSeen": "LastSeen",
"RiskScore": "RiskScore",
"Source": "Source",
"SourceType": "SourceType",
"TimeGenerated": "TimeGenerated",
"UID": "UID"
},
"description": "\"This rule detects cloud storage buckets (e.g., AWS S3) that are publicly accessible without authentication. \nSuch misconfigurations can lead to data exfiltration, compliance violations, and reputational damage. \nThe detection is based on Cyfirma's Attack Surface Intelligence.\"\n",
"displayName": "CYFIRMA - Attack Surface - Cloud Weakness High Rule",
"enabled": true,
"entityMappings": [
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "Domain",
"identifier": "DomainName"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASCloudWeaknessHighRule.yaml",
"query": "// High Severity - Attack Surface - Cloud Weakness - Unauthorized Public Cloud Storage Exposure Detected\nlet timeFrame = 5m;\nCyfirmaASCloudWeaknessAlerts_CL\n| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())\n| extend\n Description=description,\n FirstSeen=first_seen,\n LastSeen=last_seen,\n RiskScore=risk_score,\n Domain=asset_name,\n AlertUID=alert_uid,\n UID=uid,\n Source=source,\n SourceType=source_type,\n CreatedDate=created_date,\n Impact=impact,\n ProviderName='CYFIRMA',\n ProductName='DeCYFIR/DeTCT'\n| project\n TimeGenerated,\n Description,\n Domain,\n RiskScore,\n FirstSeen,\n LastSeen,\n AlertUID,\n UID,\n Source,\n SourceType,\n CreatedDate,\n Impact,\n ProviderName,\n ProductName\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"status": "Available",
"subTechniques": [
"T1087.004"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Collection",
"Discovery",
"Exfiltration",
"InitialAccess"
],
"techniques": [
"T1087"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}