Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CYFIRMA - Attack Surface - Open Ports Medium Rule

Back
Id9e18b6c3-d172-4bc6-a7d9-cc7b0a03a69e
RulenameCYFIRMA - Attack Surface - Open Ports Medium Rule
Description“This rule is triggered when CYFIRMA identifies open and publicly accessible ports on internet-facing assets. Exposed services may include SSH, RDP, HTTP, or other potentially sensitive ports, increasing the risk of unauthorized access, exploitation, or reconnaissance by threat actors. Monitoring open ports is critical to reducing the external attack surface and preventing misuse through brute force, service vulnerabilities, or protocol exploitation.”
SeverityMedium
TacticsInitialAccess
CommandAndControl
Discovery
DefenseEvasion
Persistence
TechniquesT1566
T1071
T1505
Required data connectorsCyfirmaAttackSurfaceAlertsConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASOpenPortsMediumRule.yaml
Version1.0.0
Arm template9e18b6c3-d172-4bc6-a7d9-cc7b0a03a69e.json
Deploy To Azure
// Medium Severity - Open Ports Exposure Detected
let timeFrame = 5m;
CyfirmaASOpenPortsAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend 
    Description=description, 
    FirstSeen=first_seen, 
    LastSeen=last_seen, 
    RiskScore=risk_score, 
    Domain=sub_domain, 
    TopDomain=top_domain, 
    NetworkIP=ip, 
    AlertUID=alert_uid, 
    UID=uid, 
    WebServer=web_server, 
    WebServerVersion=web_server_version, 
    OpenPorts=open_ports, 
    ProviderName='CYFIRMA', 
    ProductName='DeCYFIR/DeTCT'
| project
    TimeGenerated,
    Description,
    Domain,
    TopDomain,
    RiskScore,
    FirstSeen,
    LastSeen,
    NetworkIP,
    AlertUID,
    UID,
    WebServer,
    WebServerVersion,
    OpenPorts,
    ProductName,
    ProviderName
status: Available
relevantTechniques:
- T1566
- T1071
- T1505
description: |
    "This rule is triggered when CYFIRMA identifies open and publicly accessible ports on internet-facing assets. Exposed services may include SSH, RDP, HTTP, or other potentially sensitive ports, increasing the risk of unauthorized access, exploitation, or reconnaissance by threat actors. Monitoring open ports is critical to reducing the external attack surface and preventing misuse through brute force, service vulnerabilities, or protocol exploitation."
queryPeriod: 5m
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASOpenPortsMediumRule.yaml
alertDetailsOverride:
  alertDisplayNameFormat: 'CYFIRMA - Medium Severity Open Ports Exposure Detected on Assets - Domain: {{Domain}}, IP: {{NetworkIP}}'
  alertDescriptionFormat: CYFIRMA - Medium Severity Open Ports Exposure Detected on Assets - {{Description}}
  alertDynamicProperties:
  - value: DeCYFIR/DeTCT
    alertProperty: ProductName
  - value: CYFIRMA
    alertProperty: ProviderName
query: |
  // Medium Severity - Open Ports Exposure Detected
  let timeFrame = 5m;
  CyfirmaASOpenPortsAlerts_CL
  | where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
  | extend 
      Description=description, 
      FirstSeen=first_seen, 
      LastSeen=last_seen, 
      RiskScore=risk_score, 
      Domain=sub_domain, 
      TopDomain=top_domain, 
      NetworkIP=ip, 
      AlertUID=alert_uid, 
      UID=uid, 
      WebServer=web_server, 
      WebServerVersion=web_server_version, 
      OpenPorts=open_ports, 
      ProviderName='CYFIRMA', 
      ProductName='DeCYFIR/DeTCT'
  | project
      TimeGenerated,
      Description,
      Domain,
      TopDomain,
      RiskScore,
      FirstSeen,
      LastSeen,
      NetworkIP,
      AlertUID,
      UID,
      WebServer,
      WebServerVersion,
      OpenPorts,
      ProductName,
      ProviderName  
version: 1.0.0
id: 9e18b6c3-d172-4bc6-a7d9-cc7b0a03a69e
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    lookbackDuration: 5h
    matchingMethod: AllEntities
    reopenClosedIncident: false
tactics:
- InitialAccess
- CommandAndControl
- Discovery
- DefenseEvasion
- Persistence
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings:
- fieldMappings:
  - identifier: DomainName
    columnName: Domain
  entityType: DNS
- fieldMappings:
  - identifier: HostName
    columnName: TopDomain
  - identifier: DnsDomain
    columnName: Domain
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: NetworkIP
  entityType: IP
requiredDataConnectors:
- dataTypes:
  - CyfirmaASOpenPortsAlerts_CL
  connectorId: CyfirmaAttackSurfaceAlertsConnector
name: CYFIRMA - Attack Surface - Open Ports Medium Rule
severity: Medium
customDetails:
  Description: Description
  FirstSeen: FirstSeen
  OpenPorts: OpenPorts
  AlertUID: AlertUID
  TimeGenerated: TimeGenerated
  RiskScore: RiskScore
  UID: UID
  WebServerVersion: WebServerVersion
  WebServer: WebServer
  LastSeen: LastSeen
triggerOperator: gt
triggerThreshold: 0
queryFrequency: 5m
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9e18b6c3-d172-4bc6-a7d9-cc7b0a03a69e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9e18b6c3-d172-4bc6-a7d9-cc7b0a03a69e')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "CYFIRMA - Medium Severity Open Ports Exposure Detected on Assets - {{Description}}",
          "alertDisplayNameFormat": "CYFIRMA - Medium Severity Open Ports Exposure Detected on Assets - Domain: {{Domain}}, IP: {{NetworkIP}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductName",
              "value": "DeCYFIR/DeTCT"
            },
            {
              "alertProperty": "ProviderName",
              "value": "CYFIRMA"
            }
          ]
        },
        "alertRuleTemplateName": "9e18b6c3-d172-4bc6-a7d9-cc7b0a03a69e",
        "customDetails": {
          "AlertUID": "AlertUID",
          "Description": "Description",
          "FirstSeen": "FirstSeen",
          "LastSeen": "LastSeen",
          "OpenPorts": "OpenPorts",
          "RiskScore": "RiskScore",
          "TimeGenerated": "TimeGenerated",
          "UID": "UID",
          "WebServer": "WebServer",
          "WebServerVersion": "WebServerVersion"
        },
        "description": "\"This rule is triggered when CYFIRMA identifies open and publicly accessible ports on internet-facing assets. Exposed services may include SSH, RDP, HTTP, or other potentially sensitive ports, increasing the risk of unauthorized access, exploitation, or reconnaissance by threat actors. Monitoring open ports is critical to reducing the external attack surface and preventing misuse through brute force, service vulnerabilities, or protocol exploitation.\"\n",
        "displayName": "CYFIRMA - Attack Surface - Open Ports Medium Rule",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "DNS",
            "fieldMappings": [
              {
                "columnName": "Domain",
                "identifier": "DomainName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "TopDomain",
                "identifier": "HostName"
              },
              {
                "columnName": "Domain",
                "identifier": "DnsDomain"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "NetworkIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASOpenPortsMediumRule.yaml",
        "query": "// Medium Severity - Open Ports Exposure Detected\nlet timeFrame = 5m;\nCyfirmaASOpenPortsAlerts_CL\n| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())\n| extend \n    Description=description, \n    FirstSeen=first_seen, \n    LastSeen=last_seen, \n    RiskScore=risk_score, \n    Domain=sub_domain, \n    TopDomain=top_domain, \n    NetworkIP=ip, \n    AlertUID=alert_uid, \n    UID=uid, \n    WebServer=web_server, \n    WebServerVersion=web_server_version, \n    OpenPorts=open_ports, \n    ProviderName='CYFIRMA', \n    ProductName='DeCYFIR/DeTCT'\n| project\n    TimeGenerated,\n    Description,\n    Domain,\n    TopDomain,\n    RiskScore,\n    FirstSeen,\n    LastSeen,\n    NetworkIP,\n    AlertUID,\n    UID,\n    WebServer,\n    WebServerVersion,\n    OpenPorts,\n    ProductName,\n    ProviderName\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "DefenseEvasion",
          "Discovery",
          "InitialAccess",
          "Persistence"
        ],
        "techniques": [
          "T1071",
          "T1505",
          "T1566"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}