CYFIRMA - Attack Surface - Cloud Weakness High Rule

// High Severity - Attack Surface - Cloud Weakness - Unauthorized Public Cloud Storage Exposure Detected
let timeFrame = 5m;
CyfirmaASCloudWeaknessAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    Domain=asset_name,
    AlertUID=alert_uid,
    UID=uid,
    Source=source,
    SourceType=source_type,
    CreatedDate=created_date,
    Impact=impact,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT'
| project
    TimeGenerated,
    Description,
    Domain,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    Source,
    SourceType,
    CreatedDate,
    Impact,
    ProviderName,
    ProductName

query: |
  // High Severity - Attack Surface - Cloud Weakness - Unauthorized Public Cloud Storage Exposure Detected
  let timeFrame = 5m;
  CyfirmaASCloudWeaknessAlerts_CL
  | where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      Domain=asset_name,
      AlertUID=alert_uid,
      UID=uid,
      Source=source,
      SourceType=source_type,
      CreatedDate=created_date,
      Impact=impact,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT'
  | project
      TimeGenerated,
      Description,
      Domain,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      Source,
      SourceType,
      CreatedDate,
      Impact,
      ProviderName,
      ProductName  
kind: Scheduled
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: PT5H
    enabled: false
    matchingMethod: AllEntities
    reopenClosedIncident: false
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - columnName: Domain
    identifier: DomainName
  entityType: DNS
description: |
  "This rule detects cloud storage buckets (e.g., AWS S3) that are publicly accessible without authentication. 
  Such misconfigurations can lead to data exfiltration, compliance violations, and reputational damage. 
  The detection is based on Cyfirma's Attack Surface Intelligence."  
eventGroupingSettings:
  aggregationKind: AlertPerResult
customDetails:
  Impact: Impact
  RiskScore: RiskScore
  UID: UID
  FirstSeen: FirstSeen
  TimeGenerated: TimeGenerated
  LastSeen: LastSeen
  CreatedDate: CreatedDate
  Source: Source
  AlertUID: AlertUID
  SourceType: SourceType
version: 1.0.1
id: 87cd8b10-90f6-4967-a4a7-2142e848ec8f
relevantTechniques:
- T1087
- T1087.004
queryPeriod: 5m
queryFrequency: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASCloudWeaknessHighRule.yaml
tactics:
- InitialAccess
- Collection
- Discovery
- Exfiltration
severity: High
status: Available
requiredDataConnectors:
- connectorId: CyfirmaAttackSurfaceAlertsConnector
  dataTypes:
  - CyfirmaASCloudWeaknessAlerts_CL
name: CYFIRMA - Attack Surface - Cloud Weakness High Rule
alertDetailsOverride:
  alertDescriptionFormat: 'CYFIRMA - High Severity Alert - Unauthorized Public Cloud Storage Exposure Detected - {{Description}} '
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
  alertDisplayNameFormat: 'CYFIRMA - High Severity Alert - Unauthorized Public Cloud Storage Exposure Detected - Domain: {{Domain}} '
triggerOperator: gt