Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CYFIRMA - Attack Surface - Open Ports High Rule

Back
Id87e7eb3f-bb8e-46e5-8807-d3fc63d0f676
RulenameCYFIRMA - Attack Surface - Open Ports High Rule
Description“This rule is triggered when CYFIRMA identifies open and publicly accessible ports on internet-facing assets. Exposed services may include SSH, RDP, HTTP, or other potentially sensitive ports, increasing the risk of unauthorized access, exploitation, or reconnaissance by threat actors. Monitoring open ports is critical to reducing the external attack surface and preventing misuse through brute force, service vulnerabilities, or protocol exploitation.”
SeverityHigh
TacticsInitialAccess
CommandAndControl
Discovery
DefenseEvasion
Persistence
TechniquesT1566
T1071
T1505
Required data connectorsCyfirmaAttackSurfaceAlertsConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASOpenPortsHighRule.yaml
Version1.0.0
Arm template87e7eb3f-bb8e-46e5-8807-d3fc63d0f676.json
Deploy To Azure
// High Severity - Open Ports Exposure Detected
let timeFrame = 5m;
CyfirmaASOpenPortsAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend Description=description, FirstSeen=first_seen, LastSeen=last_seen, RiskScore=risk_score, Domain=sub_domain, TopDomain=top_domain, NetworkIP=ip, AlertUID=alert_uid, UID=uid, WebServer=web_server, WebServerVersion=web_server_version, OpenPorts=open_ports, ProviderName="CYFIRMA", ProductName="DeCYFIR/DeTCT"
| project
    TimeGenerated,
    Description,
    Domain,
    TopDomain,
    RiskScore,
    FirstSeen,
    LastSeen,
    NetworkIP,
    AlertUID,
    UID,
    WebServer,
    WebServerVersion,
    OpenPorts,
    ProductName,
    ProviderName
tactics:
- InitialAccess
- CommandAndControl
- Discovery
- DefenseEvasion
- Persistence
name: CYFIRMA - Attack Surface - Open Ports High Rule
id: 87e7eb3f-bb8e-46e5-8807-d3fc63d0f676
requiredDataConnectors:
- connectorId: CyfirmaAttackSurfaceAlertsConnector
  dataTypes:
  - CyfirmaASOpenPortsAlerts_CL
query: |
  // High Severity - Open Ports Exposure Detected
  let timeFrame = 5m;
  CyfirmaASOpenPortsAlerts_CL
  | where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
  | extend Description=description, FirstSeen=first_seen, LastSeen=last_seen, RiskScore=risk_score, Domain=sub_domain, TopDomain=top_domain, NetworkIP=ip, AlertUID=alert_uid, UID=uid, WebServer=web_server, WebServerVersion=web_server_version, OpenPorts=open_ports, ProviderName="CYFIRMA", ProductName="DeCYFIR/DeTCT"
  | project
      TimeGenerated,
      Description,
      Domain,
      TopDomain,
      RiskScore,
      FirstSeen,
      LastSeen,
      NetworkIP,
      AlertUID,
      UID,
      WebServer,
      WebServerVersion,
      OpenPorts,
      ProductName,
      ProviderName  
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1566
- T1071
- T1505
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    reopenClosedIncident: false
    lookbackDuration: 5h
    enabled: false
description: |
    "This rule is triggered when CYFIRMA identifies open and publicly accessible ports on internet-facing assets. Exposed services may include SSH, RDP, HTTP, or other potentially sensitive ports, increasing the risk of unauthorized access, exploitation, or reconnaissance by threat actors. Monitoring open ports is critical to reducing the external attack surface and preventing misuse through brute force, service vulnerabilities, or protocol exploitation."
triggerOperator: gt
queryPeriod: 5m
severity: High
entityMappings:
- fieldMappings:
  - identifier: DomainName
    columnName: Domain
  entityType: DNS
- fieldMappings:
  - identifier: HostName
    columnName: TopDomain
  - identifier: DnsDomain
    columnName: Domain
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: NetworkIP
  entityType: IP
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASOpenPortsHighRule.yaml
version: 1.0.0
alertDetailsOverride:
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
  alertDisplayNameFormat: 'CYFIRMA - High Severity Open Ports Exposure Detected on Assets - Domain: {{Domain}}, IP: {{NetworkIP}}'
  alertDescriptionFormat: CYFIRMA - High Severity Open Ports Exposure Detected on Assets - {{Description}}
triggerThreshold: 0
queryFrequency: 5m
kind: Scheduled
status: Available
customDetails:
  RiskScore: RiskScore
  Description: Description
  FirstSeen: FirstSeen
  OpenPorts: OpenPorts
  TimeGenerated: TimeGenerated
  WebServer: WebServer
  WebServerVersion: WebServerVersion
  LastSeen: LastSeen
  AlertUID: AlertUID
  UID: UID
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/87e7eb3f-bb8e-46e5-8807-d3fc63d0f676')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/87e7eb3f-bb8e-46e5-8807-d3fc63d0f676')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "CYFIRMA - High Severity Open Ports Exposure Detected on Assets - {{Description}}",
          "alertDisplayNameFormat": "CYFIRMA - High Severity Open Ports Exposure Detected on Assets - Domain: {{Domain}}, IP: {{NetworkIP}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            },
            {
              "alertProperty": "ProviderName",
              "value": "ProviderName"
            }
          ]
        },
        "alertRuleTemplateName": "87e7eb3f-bb8e-46e5-8807-d3fc63d0f676",
        "customDetails": {
          "AlertUID": "AlertUID",
          "Description": "Description",
          "FirstSeen": "FirstSeen",
          "LastSeen": "LastSeen",
          "OpenPorts": "OpenPorts",
          "RiskScore": "RiskScore",
          "TimeGenerated": "TimeGenerated",
          "UID": "UID",
          "WebServer": "WebServer",
          "WebServerVersion": "WebServerVersion"
        },
        "description": "\"This rule is triggered when CYFIRMA identifies open and publicly accessible ports on internet-facing assets. Exposed services may include SSH, RDP, HTTP, or other potentially sensitive ports, increasing the risk of unauthorized access, exploitation, or reconnaissance by threat actors. Monitoring open ports is critical to reducing the external attack surface and preventing misuse through brute force, service vulnerabilities, or protocol exploitation.\"\n",
        "displayName": "CYFIRMA - Attack Surface - Open Ports High Rule",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "DNS",
            "fieldMappings": [
              {
                "columnName": "Domain",
                "identifier": "DomainName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "TopDomain",
                "identifier": "HostName"
              },
              {
                "columnName": "Domain",
                "identifier": "DnsDomain"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "NetworkIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASOpenPortsHighRule.yaml",
        "query": "// High Severity - Open Ports Exposure Detected\nlet timeFrame = 5m;\nCyfirmaASOpenPortsAlerts_CL\n| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())\n| extend Description=description, FirstSeen=first_seen, LastSeen=last_seen, RiskScore=risk_score, Domain=sub_domain, TopDomain=top_domain, NetworkIP=ip, AlertUID=alert_uid, UID=uid, WebServer=web_server, WebServerVersion=web_server_version, OpenPorts=open_ports, ProviderName=\"CYFIRMA\", ProductName=\"DeCYFIR/DeTCT\"\n| project\n    TimeGenerated,\n    Description,\n    Domain,\n    TopDomain,\n    RiskScore,\n    FirstSeen,\n    LastSeen,\n    NetworkIP,\n    AlertUID,\n    UID,\n    WebServer,\n    WebServerVersion,\n    OpenPorts,\n    ProductName,\n    ProviderName\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "DefenseEvasion",
          "Discovery",
          "InitialAccess",
          "Persistence"
        ],
        "techniques": [
          "T1071",
          "T1505",
          "T1566"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}