CYFIRMA - Attack Surface - Cloud Weakness High Rule

// High Severity - Attack Surface - Cloud Weakness - Unauthorized Public Cloud Storage Exposure Detected
let timeFrame = 5m;
CyfirmaASCloudWeaknessAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    Domain=asset_name,
    AlertUID=alert_uid,
    UID=uid,
    Source=source,
    SourceType=source_type,
    CreatedDate=created_date,
    Impact=impact,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT'
| project
    TimeGenerated,
    Description,
    Domain,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    Source,
    SourceType,
    CreatedDate,
    Impact,
    ProviderName,
    ProductName

kind: Scheduled
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: AllEntities
    enabled: false
    reopenClosedIncident: false
    lookbackDuration: PT5H
  createIncident: true
requiredDataConnectors:
- connectorId: CyfirmaAttackSurfaceAlertsConnector
  dataTypes:
  - CyfirmaASCloudWeaknessAlerts_CL
relevantTechniques:
- T1087
- T1087.004
entityMappings:
- entityType: DNS
  fieldMappings:
  - identifier: DomainName
    columnName: Domain
query: |
  // High Severity - Attack Surface - Cloud Weakness - Unauthorized Public Cloud Storage Exposure Detected
  let timeFrame = 5m;
  CyfirmaASCloudWeaknessAlerts_CL
  | where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      Domain=asset_name,
      AlertUID=alert_uid,
      UID=uid,
      Source=source,
      SourceType=source_type,
      CreatedDate=created_date,
      Impact=impact,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT'
  | project
      TimeGenerated,
      Description,
      Domain,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      Source,
      SourceType,
      CreatedDate,
      Impact,
      ProviderName,
      ProductName  
triggerThreshold: 0
customDetails:
  Source: Source
  Impact: Impact
  TimeGenerated: TimeGenerated
  AlertUID: AlertUID
  FirstSeen: FirstSeen
  RiskScore: RiskScore
  UID: UID
  SourceType: SourceType
  LastSeen: LastSeen
  CreatedDate: CreatedDate
alertDetailsOverride:
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
  alertDisplayNameFormat: 'CYFIRMA - High Severity Alert - Unauthorized Public Cloud Storage Exposure Detected - Domain: {{Domain}} '
  alertDescriptionFormat: 'CYFIRMA - High Severity Alert - Unauthorized Public Cloud Storage Exposure Detected - {{Description}} '
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASCloudWeaknessHighRule.yaml
queryPeriod: 5m
tactics:
- InitialAccess
- Collection
- Discovery
- Exfiltration
name: CYFIRMA - Attack Surface - Cloud Weakness High Rule
status: Available
eventGroupingSettings:
  aggregationKind: AlertPerResult
description: |
  "This rule detects cloud storage buckets (e.g., AWS S3) that are publicly accessible without authentication. 
  Such misconfigurations can lead to data exfiltration, compliance violations, and reputational damage. 
  The detection is based on Cyfirma's Attack Surface Intelligence."  
id: 87cd8b10-90f6-4967-a4a7-2142e848ec8f
version: 1.0.1
triggerOperator: gt
queryFrequency: 5m
severity: High