CYFIRMA - Attack Surface - Open Ports High Rule
| Id | 87e7eb3f-bb8e-46e5-8807-d3fc63d0f676 |
| Rulename | CYFIRMA - Attack Surface - Open Ports High Rule |
| Description | “This rule is triggered when CYFIRMA identifies open and publicly accessible ports on internet-facing assets. Exposed services may include SSH, RDP, HTTP, or other potentially sensitive ports, increasing the risk of unauthorized access, exploitation, or reconnaissance by threat actors. Monitoring open ports is critical to reducing the external attack surface and preventing misuse through brute force, service vulnerabilities, or protocol exploitation.” |
| Severity | High |
| Tactics | InitialAccess CommandAndControl Discovery DefenseEvasion Persistence |
| Techniques | T1566 T1071 T1505 |
| Required data connectors | CyfirmaAttackSurfaceAlertsConnector |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASOpenPortsHighRule.yaml |
| Version | 1.0.1 |
| Arm template | 87e7eb3f-bb8e-46e5-8807-d3fc63d0f676.json |
// High Severity - Open Ports Exposure Detected
let timeFrame = 5m;
CyfirmaASOpenPortsAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend Description=description, FirstSeen=first_seen, LastSeen=last_seen, RiskScore=risk_score, Domain=sub_domain, TopDomain=top_domain, NetworkIP=ip, AlertUID=alert_uid, UID=uid, WebServer=web_server, WebServerVersion=web_server_version, OpenPorts=open_ports, ProviderName="CYFIRMA", ProductName="DeCYFIR/DeTCT"
| project
TimeGenerated,
Description,
Domain,
TopDomain,
RiskScore,
FirstSeen,
LastSeen,
NetworkIP,
AlertUID,
UID,
WebServer,
WebServerVersion,
OpenPorts,
ProductName,
ProviderName
name: CYFIRMA - Attack Surface - Open Ports High Rule
eventGroupingSettings:
aggregationKind: AlertPerResult
alertDetailsOverride:
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: ProviderName
value: ProviderName
alertDisplayNameFormat: 'CYFIRMA - High Severity Open Ports Exposure Detected on Assets - Domain: {{Domain}}, IP: {{NetworkIP}}'
alertDescriptionFormat: CYFIRMA - High Severity Open Ports Exposure Detected on Assets - {{Description}}
id: 87e7eb3f-bb8e-46e5-8807-d3fc63d0f676
requiredDataConnectors:
- connectorId: CyfirmaAttackSurfaceAlertsConnector
dataTypes:
- CyfirmaASOpenPortsAlerts_CL
severity: High
triggerThreshold: 0
version: 1.0.1
description: |
"This rule is triggered when CYFIRMA identifies open and publicly accessible ports on internet-facing assets. Exposed services may include SSH, RDP, HTTP, or other potentially sensitive ports, increasing the risk of unauthorized access, exploitation, or reconnaissance by threat actors. Monitoring open ports is critical to reducing the external attack surface and preventing misuse through brute force, service vulnerabilities, or protocol exploitation."
relevantTechniques:
- T1566
- T1071
- T1505
kind: Scheduled
queryPeriod: 5m
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: false
reopenClosedIncident: false
matchingMethod: AllEntities
lookbackDuration: PT5H
tactics:
- InitialAccess
- CommandAndControl
- Discovery
- DefenseEvasion
- Persistence
customDetails:
OpenPorts: OpenPorts
WebServer: WebServer
Description: Description
AlertUID: AlertUID
RiskScore: RiskScore
TimeGenerated: TimeGenerated
FirstSeen: FirstSeen
WebServerVersion: WebServerVersion
LastSeen: LastSeen
UID: UID
queryFrequency: 5m
entityMappings:
- fieldMappings:
- identifier: DomainName
columnName: Domain
entityType: DNS
- fieldMappings:
- identifier: HostName
columnName: TopDomain
- identifier: DnsDomain
columnName: Domain
entityType: Host
- fieldMappings:
- identifier: Address
columnName: NetworkIP
entityType: IP
status: Available
triggerOperator: gt
query: |
// High Severity - Open Ports Exposure Detected
let timeFrame = 5m;
CyfirmaASOpenPortsAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend Description=description, FirstSeen=first_seen, LastSeen=last_seen, RiskScore=risk_score, Domain=sub_domain, TopDomain=top_domain, NetworkIP=ip, AlertUID=alert_uid, UID=uid, WebServer=web_server, WebServerVersion=web_server_version, OpenPorts=open_ports, ProviderName="CYFIRMA", ProductName="DeCYFIR/DeTCT"
| project
TimeGenerated,
Description,
Domain,
TopDomain,
RiskScore,
FirstSeen,
LastSeen,
NetworkIP,
AlertUID,
UID,
WebServer,
WebServerVersion,
OpenPorts,
ProductName,
ProviderName
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASOpenPortsHighRule.yaml
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/87e7eb3f-bb8e-46e5-8807-d3fc63d0f676')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/87e7eb3f-bb8e-46e5-8807-d3fc63d0f676')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "CYFIRMA - High Severity Open Ports Exposure Detected on Assets - {{Description}}",
"alertDisplayNameFormat": "CYFIRMA - High Severity Open Ports Exposure Detected on Assets - Domain: {{Domain}}, IP: {{NetworkIP}}",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "87e7eb3f-bb8e-46e5-8807-d3fc63d0f676",
"customDetails": {
"AlertUID": "AlertUID",
"Description": "Description",
"FirstSeen": "FirstSeen",
"LastSeen": "LastSeen",
"OpenPorts": "OpenPorts",
"RiskScore": "RiskScore",
"TimeGenerated": "TimeGenerated",
"UID": "UID",
"WebServer": "WebServer",
"WebServerVersion": "WebServerVersion"
},
"description": "\"This rule is triggered when CYFIRMA identifies open and publicly accessible ports on internet-facing assets. Exposed services may include SSH, RDP, HTTP, or other potentially sensitive ports, increasing the risk of unauthorized access, exploitation, or reconnaissance by threat actors. Monitoring open ports is critical to reducing the external attack surface and preventing misuse through brute force, service vulnerabilities, or protocol exploitation.\"\n",
"displayName": "CYFIRMA - Attack Surface - Open Ports High Rule",
"enabled": true,
"entityMappings": [
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "Domain",
"identifier": "DomainName"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "TopDomain",
"identifier": "HostName"
},
{
"columnName": "Domain",
"identifier": "DnsDomain"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "NetworkIP",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASOpenPortsHighRule.yaml",
"query": "// High Severity - Open Ports Exposure Detected\nlet timeFrame = 5m;\nCyfirmaASOpenPortsAlerts_CL\n| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())\n| extend Description=description, FirstSeen=first_seen, LastSeen=last_seen, RiskScore=risk_score, Domain=sub_domain, TopDomain=top_domain, NetworkIP=ip, AlertUID=alert_uid, UID=uid, WebServer=web_server, WebServerVersion=web_server_version, OpenPorts=open_ports, ProviderName=\"CYFIRMA\", ProductName=\"DeCYFIR/DeTCT\"\n| project\n TimeGenerated,\n Description,\n Domain,\n TopDomain,\n RiskScore,\n FirstSeen,\n LastSeen,\n NetworkIP,\n AlertUID,\n UID,\n WebServer,\n WebServerVersion,\n OpenPorts,\n ProductName,\n ProviderName\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"DefenseEvasion",
"Discovery",
"InitialAccess",
"Persistence"
],
"techniques": [
"T1071",
"T1505",
"T1566"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}