CYFIRMA - Attack Surface - Cloud Weakness High Rule

// High Severity - Attack Surface - Cloud Weakness - Unauthorized Public Cloud Storage Exposure Detected
let timeFrame = 5m;
CyfirmaASCloudWeaknessAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    Domain=asset_name,
    AlertUID=alert_uid,
    UID=uid,
    Source=source,
    SourceType=source_type,
    CreatedDate=created_date,
    Impact=impact,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT'
| project
    TimeGenerated,
    Description,
    Domain,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    Source,
    SourceType,
    CreatedDate,
    Impact,
    ProviderName,
    ProductName

relevantTechniques:
- T1087
- T1087.004
entityMappings:
- entityType: DNS
  fieldMappings:
  - columnName: Domain
    identifier: DomainName
eventGroupingSettings:
  aggregationKind: AlertPerResult
version: 1.0.1
id: 87cd8b10-90f6-4967-a4a7-2142e848ec8f
severity: High
kind: Scheduled
queryFrequency: 5m
description: |
  "This rule detects cloud storage buckets (e.g., AWS S3) that are publicly accessible without authentication. 
  Such misconfigurations can lead to data exfiltration, compliance violations, and reputational damage. 
  The detection is based on Cyfirma's Attack Surface Intelligence."  
requiredDataConnectors:
- connectorId: CyfirmaAttackSurfaceAlertsConnector
  dataTypes:
  - CyfirmaASCloudWeaknessAlerts_CL
triggerOperator: gt
name: CYFIRMA - Attack Surface - Cloud Weakness High Rule
tactics:
- InitialAccess
- Collection
- Discovery
- Exfiltration
alertDetailsOverride:
  alertDescriptionFormat: 'CYFIRMA - High Severity Alert - Unauthorized Public Cloud Storage Exposure Detected - {{Description}} '
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
  alertDisplayNameFormat: 'CYFIRMA - High Severity Alert - Unauthorized Public Cloud Storage Exposure Detected - Domain: {{Domain}} '
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASCloudWeaknessHighRule.yaml
triggerThreshold: 0
queryPeriod: 5m
query: |
  // High Severity - Attack Surface - Cloud Weakness - Unauthorized Public Cloud Storage Exposure Detected
  let timeFrame = 5m;
  CyfirmaASCloudWeaknessAlerts_CL
  | where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      Domain=asset_name,
      AlertUID=alert_uid,
      UID=uid,
      Source=source,
      SourceType=source_type,
      CreatedDate=created_date,
      Impact=impact,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT'
  | project
      TimeGenerated,
      Description,
      Domain,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      Source,
      SourceType,
      CreatedDate,
      Impact,
      ProviderName,
      ProductName  
status: Available
customDetails:
  TimeGenerated: TimeGenerated
  Impact: Impact
  AlertUID: AlertUID
  Source: Source
  FirstSeen: FirstSeen
  LastSeen: LastSeen
  SourceType: SourceType
  CreatedDate: CreatedDate
  RiskScore: RiskScore
  UID: UID
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: PT5H
    enabled: false
    reopenClosedIncident: false
    matchingMethod: AllEntities