CYFIRMA - Attack Surface - Cloud Weakness High Rule

// High Severity - Attack Surface - Cloud Weakness - Unauthorized Public Cloud Storage Exposure Detected
let timeFrame = 5m;
CyfirmaASCloudWeaknessAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    Domain=asset_name,
    AlertUID=alert_uid,
    UID=uid,
    Source=source,
    SourceType=source_type,
    CreatedDate=created_date,
    Impact=impact,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT'
| project
    TimeGenerated,
    Description,
    Domain,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    Source,
    SourceType,
    CreatedDate,
    Impact,
    ProviderName,
    ProductName

incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    enabled: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
  createIncident: true
description: |
  "This rule detects cloud storage buckets (e.g., AWS S3) that are publicly accessible without authentication. 
  Such misconfigurations can lead to data exfiltration, compliance violations, and reputational damage. 
  The detection is based on Cyfirma's Attack Surface Intelligence."  
alertDetailsOverride:
  alertDisplayNameFormat: 'CYFIRMA - High Severity Alert - Unauthorized Public Cloud Storage Exposure Detected - Domain: {{Domain}} '
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
  alertDescriptionFormat: 'CYFIRMA - High Severity Alert - Unauthorized Public Cloud Storage Exposure Detected - {{Description}} '
requiredDataConnectors:
- dataTypes:
  - CyfirmaASCloudWeaknessAlerts_CL
  connectorId: CyfirmaAttackSurfaceAlertsConnector
eventGroupingSettings:
  aggregationKind: AlertPerResult
query: |
  // High Severity - Attack Surface - Cloud Weakness - Unauthorized Public Cloud Storage Exposure Detected
  let timeFrame = 5m;
  CyfirmaASCloudWeaknessAlerts_CL
  | where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      Domain=asset_name,
      AlertUID=alert_uid,
      UID=uid,
      Source=source,
      SourceType=source_type,
      CreatedDate=created_date,
      Impact=impact,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT'
  | project
      TimeGenerated,
      Description,
      Domain,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      Source,
      SourceType,
      CreatedDate,
      Impact,
      ProviderName,
      ProductName  
triggerThreshold: 0
name: CYFIRMA - Attack Surface - Cloud Weakness High Rule
relevantTechniques:
- T1087
- T1087.004
entityMappings:
- entityType: DNS
  fieldMappings:
  - columnName: Domain
    identifier: DomainName
tactics:
- InitialAccess
- Collection
- Discovery
- Exfiltration
queryPeriod: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASCloudWeaknessHighRule.yaml
severity: High
status: Available
queryFrequency: 5m
id: 87cd8b10-90f6-4967-a4a7-2142e848ec8f
kind: Scheduled
version: 1.0.1
customDetails:
  LastSeen: LastSeen
  Impact: Impact
  CreatedDate: CreatedDate
  RiskScore: RiskScore
  Source: Source
  TimeGenerated: TimeGenerated
  UID: UID
  AlertUID: AlertUID
  SourceType: SourceType
  FirstSeen: FirstSeen
triggerOperator: gt