CYFIRMA - Attack Surface - Open Ports High Rule

// High Severity - Open Ports Exposure Detected
let timeFrame = 5m;
CyfirmaASOpenPortsAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend Description=description, FirstSeen=first_seen, LastSeen=last_seen, RiskScore=risk_score, Domain=sub_domain, TopDomain=top_domain, NetworkIP=ip, AlertUID=alert_uid, UID=uid, WebServer=web_server, WebServerVersion=web_server_version, OpenPorts=open_ports, ProviderName="CYFIRMA", ProductName="DeCYFIR/DeTCT"
| project
    TimeGenerated,
    Description,
    Domain,
    TopDomain,
    RiskScore,
    FirstSeen,
    LastSeen,
    NetworkIP,
    AlertUID,
    UID,
    WebServer,
    WebServerVersion,
    OpenPorts,
    ProductName,
    ProviderName

queryPeriod: 5m
relevantTechniques:
- T1566
- T1071
- T1505
kind: Scheduled
query: |
  // High Severity - Open Ports Exposure Detected
  let timeFrame = 5m;
  CyfirmaASOpenPortsAlerts_CL
  | where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
  | extend Description=description, FirstSeen=first_seen, LastSeen=last_seen, RiskScore=risk_score, Domain=sub_domain, TopDomain=top_domain, NetworkIP=ip, AlertUID=alert_uid, UID=uid, WebServer=web_server, WebServerVersion=web_server_version, OpenPorts=open_ports, ProviderName="CYFIRMA", ProductName="DeCYFIR/DeTCT"
  | project
      TimeGenerated,
      Description,
      Domain,
      TopDomain,
      RiskScore,
      FirstSeen,
      LastSeen,
      NetworkIP,
      AlertUID,
      UID,
      WebServer,
      WebServerVersion,
      OpenPorts,
      ProductName,
      ProviderName  
tactics:
- InitialAccess
- CommandAndControl
- Discovery
- DefenseEvasion
- Persistence
queryFrequency: 5m
triggerOperator: gt
incidentConfiguration:
  groupingConfiguration:
    enabled: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
    reopenClosedIncident: false
  createIncident: true
eventGroupingSettings:
  aggregationKind: AlertPerResult
alertDetailsOverride:
  alertDisplayNameFormat: 'CYFIRMA - High Severity Open Ports Exposure Detected on Assets - Domain: {{Domain}}, IP: {{NetworkIP}}'
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
  alertDescriptionFormat: CYFIRMA - High Severity Open Ports Exposure Detected on Assets - {{Description}}
id: 87e7eb3f-bb8e-46e5-8807-d3fc63d0f676
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASOpenPortsHighRule.yaml
version: 1.0.1
entityMappings:
- entityType: DNS
  fieldMappings:
  - identifier: DomainName
    columnName: Domain
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: TopDomain
  - identifier: DnsDomain
    columnName: Domain
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: NetworkIP
triggerThreshold: 0
customDetails:
  WebServer: WebServer
  TimeGenerated: TimeGenerated
  LastSeen: LastSeen
  RiskScore: RiskScore
  UID: UID
  OpenPorts: OpenPorts
  FirstSeen: FirstSeen
  AlertUID: AlertUID
  Description: Description
  WebServerVersion: WebServerVersion
status: Available
name: CYFIRMA - Attack Surface - Open Ports High Rule
severity: High
requiredDataConnectors:
- dataTypes:
  - CyfirmaASOpenPortsAlerts_CL
  connectorId: CyfirmaAttackSurfaceAlertsConnector
description: |
    "This rule is triggered when CYFIRMA identifies open and publicly accessible ports on internet-facing assets. Exposed services may include SSH, RDP, HTTP, or other potentially sensitive ports, increasing the risk of unauthorized access, exploitation, or reconnaissance by threat actors. Monitoring open ports is critical to reducing the external attack surface and preventing misuse through brute force, service vulnerabilities, or protocol exploitation."