CYFIRMA - Attack Surface - Open Ports Medium Rule

// Medium Severity - Open Ports Exposure Detected
let timeFrame = 5m;
CyfirmaASOpenPortsAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend 
    Description=description, 
    FirstSeen=first_seen, 
    LastSeen=last_seen, 
    RiskScore=risk_score, 
    Domain=sub_domain, 
    TopDomain=top_domain, 
    NetworkIP=ip, 
    AlertUID=alert_uid, 
    UID=uid, 
    WebServer=web_server, 
    WebServerVersion=web_server_version, 
    OpenPorts=open_ports, 
    ProviderName='CYFIRMA', 
    ProductName='DeCYFIR/DeTCT'
| project
    TimeGenerated,
    Description,
    Domain,
    TopDomain,
    RiskScore,
    FirstSeen,
    LastSeen,
    NetworkIP,
    AlertUID,
    UID,
    WebServer,
    WebServerVersion,
    OpenPorts,
    ProductName,
    ProviderName

name: CYFIRMA - Attack Surface - Open Ports Medium Rule
alertDetailsOverride:
  alertDynamicProperties:
  - value: DeCYFIR/DeTCT
    alertProperty: ProductName
  - value: CYFIRMA
    alertProperty: ProviderName
  alertDisplayNameFormat: 'CYFIRMA - Medium Severity Open Ports Exposure Detected on Assets - Domain: {{Domain}}, IP: {{NetworkIP}}'
  alertDescriptionFormat: CYFIRMA - Medium Severity Open Ports Exposure Detected on Assets - {{Description}}
version: 1.0.1
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - columnName: Domain
    identifier: DomainName
  entityType: DNS
- fieldMappings:
  - columnName: TopDomain
    identifier: HostName
  - columnName: Domain
    identifier: DnsDomain
  entityType: Host
- fieldMappings:
  - columnName: NetworkIP
    identifier: Address
  entityType: IP
id: 9e18b6c3-d172-4bc6-a7d9-cc7b0a03a69e
triggerOperator: gt
query: |
  // Medium Severity - Open Ports Exposure Detected
  let timeFrame = 5m;
  CyfirmaASOpenPortsAlerts_CL
  | where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
  | extend 
      Description=description, 
      FirstSeen=first_seen, 
      LastSeen=last_seen, 
      RiskScore=risk_score, 
      Domain=sub_domain, 
      TopDomain=top_domain, 
      NetworkIP=ip, 
      AlertUID=alert_uid, 
      UID=uid, 
      WebServer=web_server, 
      WebServerVersion=web_server_version, 
      OpenPorts=open_ports, 
      ProviderName='CYFIRMA', 
      ProductName='DeCYFIR/DeTCT'
  | project
      TimeGenerated,
      Description,
      Domain,
      TopDomain,
      RiskScore,
      FirstSeen,
      LastSeen,
      NetworkIP,
      AlertUID,
      UID,
      WebServer,
      WebServerVersion,
      OpenPorts,
      ProductName,
      ProviderName  
description: |
    "This rule is triggered when CYFIRMA identifies open and publicly accessible ports on internet-facing assets. Exposed services may include SSH, RDP, HTTP, or other potentially sensitive ports, increasing the risk of unauthorized access, exploitation, or reconnaissance by threat actors. Monitoring open ports is critical to reducing the external attack surface and preventing misuse through brute force, service vulnerabilities, or protocol exploitation."
kind: Scheduled
queryFrequency: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASOpenPortsMediumRule.yaml
severity: Medium
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: PT5H
    reopenClosedIncident: false
    matchingMethod: AllEntities
    enabled: false
queryPeriod: 5m
requiredDataConnectors:
- dataTypes:
  - CyfirmaASOpenPortsAlerts_CL
  connectorId: CyfirmaAttackSurfaceAlertsConnector
status: Available
customDetails:
  TimeGenerated: TimeGenerated
  UID: UID
  WebServerVersion: WebServerVersion
  OpenPorts: OpenPorts
  LastSeen: LastSeen
  FirstSeen: FirstSeen
  RiskScore: RiskScore
  AlertUID: AlertUID
  Description: Description
  WebServer: WebServer
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1566
- T1071
- T1505
tactics:
- InitialAccess
- CommandAndControl
- Discovery
- DefenseEvasion
- Persistence