CYFIRMA - Attack Surface - Open Ports Medium Rule

// Medium Severity - Open Ports Exposure Detected
let timeFrame = 5m;
CyfirmaASOpenPortsAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend 
    Description=description, 
    FirstSeen=first_seen, 
    LastSeen=last_seen, 
    RiskScore=risk_score, 
    Domain=sub_domain, 
    TopDomain=top_domain, 
    NetworkIP=ip, 
    AlertUID=alert_uid, 
    UID=uid, 
    WebServer=web_server, 
    WebServerVersion=web_server_version, 
    OpenPorts=open_ports, 
    ProviderName='CYFIRMA', 
    ProductName='DeCYFIR/DeTCT'
| project
    TimeGenerated,
    Description,
    Domain,
    TopDomain,
    RiskScore,
    FirstSeen,
    LastSeen,
    NetworkIP,
    AlertUID,
    UID,
    WebServer,
    WebServerVersion,
    OpenPorts,
    ProductName,
    ProviderName

customDetails:
  FirstSeen: FirstSeen
  TimeGenerated: TimeGenerated
  RiskScore: RiskScore
  Description: Description
  AlertUID: AlertUID
  WebServer: WebServer
  WebServerVersion: WebServerVersion
  LastSeen: LastSeen
  OpenPorts: OpenPorts
  UID: UID
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASOpenPortsMediumRule.yaml
id: 9e18b6c3-d172-4bc6-a7d9-cc7b0a03a69e
requiredDataConnectors:
- dataTypes:
  - CyfirmaASOpenPortsAlerts_CL
  connectorId: CyfirmaAttackSurfaceAlertsConnector
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    enabled: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
  createIncident: true
relevantTechniques:
- T1566
- T1071
- T1505
kind: Scheduled
name: CYFIRMA - Attack Surface - Open Ports Medium Rule
query: |
  // Medium Severity - Open Ports Exposure Detected
  let timeFrame = 5m;
  CyfirmaASOpenPortsAlerts_CL
  | where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
  | extend 
      Description=description, 
      FirstSeen=first_seen, 
      LastSeen=last_seen, 
      RiskScore=risk_score, 
      Domain=sub_domain, 
      TopDomain=top_domain, 
      NetworkIP=ip, 
      AlertUID=alert_uid, 
      UID=uid, 
      WebServer=web_server, 
      WebServerVersion=web_server_version, 
      OpenPorts=open_ports, 
      ProviderName='CYFIRMA', 
      ProductName='DeCYFIR/DeTCT'
  | project
      TimeGenerated,
      Description,
      Domain,
      TopDomain,
      RiskScore,
      FirstSeen,
      LastSeen,
      NetworkIP,
      AlertUID,
      UID,
      WebServer,
      WebServerVersion,
      OpenPorts,
      ProductName,
      ProviderName  
tactics:
- InitialAccess
- CommandAndControl
- Discovery
- DefenseEvasion
- Persistence
severity: Medium
entityMappings:
- fieldMappings:
  - identifier: DomainName
    columnName: Domain
  entityType: DNS
- fieldMappings:
  - identifier: HostName
    columnName: TopDomain
  - identifier: DnsDomain
    columnName: Domain
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: NetworkIP
  entityType: IP
queryFrequency: 5m
description: |
    "This rule is triggered when CYFIRMA identifies open and publicly accessible ports on internet-facing assets. Exposed services may include SSH, RDP, HTTP, or other potentially sensitive ports, increasing the risk of unauthorized access, exploitation, or reconnaissance by threat actors. Monitoring open ports is critical to reducing the external attack surface and preventing misuse through brute force, service vulnerabilities, or protocol exploitation."
alertDetailsOverride:
  alertDisplayNameFormat: 'CYFIRMA - Medium Severity Open Ports Exposure Detected on Assets - Domain: {{Domain}}, IP: {{NetworkIP}}'
  alertDescriptionFormat: CYFIRMA - Medium Severity Open Ports Exposure Detected on Assets - {{Description}}
  alertDynamicProperties:
  - value: DeCYFIR/DeTCT
    alertProperty: ProductName
  - value: CYFIRMA
    alertProperty: ProviderName
triggerThreshold: 0
triggerOperator: gt
version: 1.0.1
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryPeriod: 5m
status: Available