CYFIRMA - Attack Surface - Open Ports High Rule

Back


Id	87e7eb3f-bb8e-46e5-8807-d3fc63d0f676
Rulename	CYFIRMA - Attack Surface - Open Ports High Rule
Description	“This rule is triggered when CYFIRMA identifies open and publicly accessible ports on internet-facing assets. Exposed services may include SSH, RDP, HTTP, or other potentially sensitive ports, increasing the risk of unauthorized access, exploitation, or reconnaissance by threat actors. Monitoring open ports is critical to reducing the external attack surface and preventing misuse through brute force, service vulnerabilities, or protocol exploitation.”
Severity	High
Tactics	InitialAccess CommandAndControl Discovery DefenseEvasion Persistence
Techniques	T1566 T1071 T1505
Required data connectors	CyfirmaAttackSurfaceAlertsConnector
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASOpenPortsHighRule.yaml
Version	1.0.0
Arm template	87e7eb3f-bb8e-46e5-8807-d3fc63d0f676.json

KQL

// High Severity - Open Ports Exposure Detected
let timeFrame = 5m;
CyfirmaASOpenPortsAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend Description=description, FirstSeen=first_seen, LastSeen=last_seen, RiskScore=risk_score, Domain=sub_domain, TopDomain=top_domain, NetworkIP=ip, AlertUID=alert_uid, UID=uid, WebServer=web_server, WebServerVersion=web_server_version, OpenPorts=open_ports, ProviderName="CYFIRMA", ProductName="DeCYFIR/DeTCT"
| project
    TimeGenerated,
    Description,
    Domain,
    TopDomain,
    RiskScore,
    FirstSeen,
    LastSeen,
    NetworkIP,
    AlertUID,
    UID,
    WebServer,
    WebServerVersion,
    OpenPorts,
    ProductName,
    ProviderName

YAML

status: Available
relevantTechniques:
- T1566
- T1071
- T1505
description: |
    "This rule is triggered when CYFIRMA identifies open and publicly accessible ports on internet-facing assets. Exposed services may include SSH, RDP, HTTP, or other potentially sensitive ports, increasing the risk of unauthorized access, exploitation, or reconnaissance by threat actors. Monitoring open ports is critical to reducing the external attack surface and preventing misuse through brute force, service vulnerabilities, or protocol exploitation."
queryPeriod: 5m
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASOpenPortsHighRule.yaml
alertDetailsOverride:
  alertDisplayNameFormat: 'CYFIRMA - High Severity Open Ports Exposure Detected on Assets - Domain: {{Domain}}, IP: {{NetworkIP}}'
  alertDescriptionFormat: CYFIRMA - High Severity Open Ports Exposure Detected on Assets - {{Description}}
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
query: |
  // High Severity - Open Ports Exposure Detected
  let timeFrame = 5m;
  CyfirmaASOpenPortsAlerts_CL
  | where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
  | extend Description=description, FirstSeen=first_seen, LastSeen=last_seen, RiskScore=risk_score, Domain=sub_domain, TopDomain=top_domain, NetworkIP=ip, AlertUID=alert_uid, UID=uid, WebServer=web_server, WebServerVersion=web_server_version, OpenPorts=open_ports, ProviderName="CYFIRMA", ProductName="DeCYFIR/DeTCT"
  | project
      TimeGenerated,
      Description,
      Domain,
      TopDomain,
      RiskScore,
      FirstSeen,
      LastSeen,
      NetworkIP,
      AlertUID,
      UID,
      WebServer,
      WebServerVersion,
      OpenPorts,
      ProductName,
      ProviderName  
version: 1.0.0
id: 87e7eb3f-bb8e-46e5-8807-d3fc63d0f676
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    lookbackDuration: 5h
    matchingMethod: AllEntities
    reopenClosedIncident: false
tactics:
- InitialAccess
- CommandAndControl
- Discovery
- DefenseEvasion
- Persistence
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings:
- fieldMappings:
  - identifier: DomainName
    columnName: Domain
  entityType: DNS
- fieldMappings:
  - identifier: HostName
    columnName: TopDomain
  - identifier: DnsDomain
    columnName: Domain
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: NetworkIP
  entityType: IP
requiredDataConnectors:
- dataTypes:
  - CyfirmaASOpenPortsAlerts_CL
  connectorId: CyfirmaAttackSurfaceAlertsConnector
name: CYFIRMA - Attack Surface - Open Ports High Rule
severity: High
customDetails:
  Description: Description
  FirstSeen: FirstSeen
  OpenPorts: OpenPorts
  AlertUID: AlertUID
  TimeGenerated: TimeGenerated
  RiskScore: RiskScore
  UID: UID
  WebServerVersion: WebServerVersion
  WebServer: WebServer
  LastSeen: LastSeen
triggerOperator: gt
triggerThreshold: 0
queryFrequency: 5m

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/87e7eb3f-bb8e-46e5-8807-d3fc63d0f676')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/87e7eb3f-bb8e-46e5-8807-d3fc63d0f676')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "CYFIRMA - High Severity Open Ports Exposure Detected on Assets - {{Description}}",
          "alertDisplayNameFormat": "CYFIRMA - High Severity Open Ports Exposure Detected on Assets - Domain: {{Domain}}, IP: {{NetworkIP}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            },
            {
              "alertProperty": "ProviderName",
              "value": "ProviderName"
            }
          ]
        },
        "alertRuleTemplateName": "87e7eb3f-bb8e-46e5-8807-d3fc63d0f676",
        "customDetails": {
          "AlertUID": "AlertUID",
          "Description": "Description",
          "FirstSeen": "FirstSeen",
          "LastSeen": "LastSeen",
          "OpenPorts": "OpenPorts",
          "RiskScore": "RiskScore",
          "TimeGenerated": "TimeGenerated",
          "UID": "UID",
          "WebServer": "WebServer",
          "WebServerVersion": "WebServerVersion"
        },
        "description": "\"This rule is triggered when CYFIRMA identifies open and publicly accessible ports on internet-facing assets. Exposed services may include SSH, RDP, HTTP, or other potentially sensitive ports, increasing the risk of unauthorized access, exploitation, or reconnaissance by threat actors. Monitoring open ports is critical to reducing the external attack surface and preventing misuse through brute force, service vulnerabilities, or protocol exploitation.\"\n",
        "displayName": "CYFIRMA - Attack Surface - Open Ports High Rule",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "DNS",
            "fieldMappings": [
              {
                "columnName": "Domain",
                "identifier": "DomainName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "TopDomain",
                "identifier": "HostName"
              },
              {
                "columnName": "Domain",
                "identifier": "DnsDomain"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "NetworkIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASOpenPortsHighRule.yaml",
        "query": "// High Severity - Open Ports Exposure Detected\nlet timeFrame = 5m;\nCyfirmaASOpenPortsAlerts_CL\n| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())\n| extend Description=description, FirstSeen=first_seen, LastSeen=last_seen, RiskScore=risk_score, Domain=sub_domain, TopDomain=top_domain, NetworkIP=ip, AlertUID=alert_uid, UID=uid, WebServer=web_server, WebServerVersion=web_server_version, OpenPorts=open_ports, ProviderName=\"CYFIRMA\", ProductName=\"DeCYFIR/DeTCT\"\n| project\n    TimeGenerated,\n    Description,\n    Domain,\n    TopDomain,\n    RiskScore,\n    FirstSeen,\n    LastSeen,\n    NetworkIP,\n    AlertUID,\n    UID,\n    WebServer,\n    WebServerVersion,\n    OpenPorts,\n    ProductName,\n    ProviderName\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "DefenseEvasion",
          "Discovery",
          "InitialAccess",
          "Persistence"
        ],
        "techniques": [
          "T1071",
          "T1505",
          "T1566"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}