CYFIRMA - Attack Surface - Open Ports Medium Rule
| Id | 9e18b6c3-d172-4bc6-a7d9-cc7b0a03a69e |
| Rulename | CYFIRMA - Attack Surface - Open Ports Medium Rule |
| Description | “This rule is triggered when CYFIRMA identifies open and publicly accessible ports on internet-facing assets. Exposed services may include SSH, RDP, HTTP, or other potentially sensitive ports, increasing the risk of unauthorized access, exploitation, or reconnaissance by threat actors. Monitoring open ports is critical to reducing the external attack surface and preventing misuse through brute force, service vulnerabilities, or protocol exploitation.” |
| Severity | Medium |
| Tactics | InitialAccess CommandAndControl Discovery DefenseEvasion Persistence |
| Techniques | T1566 T1071 T1505 |
| Required data connectors | CyfirmaAttackSurfaceAlertsConnector |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASOpenPortsMediumRule.yaml |
| Version | 1.0.0 |
| Arm template | 9e18b6c3-d172-4bc6-a7d9-cc7b0a03a69e.json |
// Medium Severity - Open Ports Exposure Detected
let timeFrame = 5m;
CyfirmaASOpenPortsAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
Domain=sub_domain,
TopDomain=top_domain,
NetworkIP=ip,
AlertUID=alert_uid,
UID=uid,
WebServer=web_server,
WebServerVersion=web_server_version,
OpenPorts=open_ports,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT'
| project
TimeGenerated,
Description,
Domain,
TopDomain,
RiskScore,
FirstSeen,
LastSeen,
NetworkIP,
AlertUID,
UID,
WebServer,
WebServerVersion,
OpenPorts,
ProductName,
ProviderName
status: Available
relevantTechniques:
- T1566
- T1071
- T1505
description: |
"This rule is triggered when CYFIRMA identifies open and publicly accessible ports on internet-facing assets. Exposed services may include SSH, RDP, HTTP, or other potentially sensitive ports, increasing the risk of unauthorized access, exploitation, or reconnaissance by threat actors. Monitoring open ports is critical to reducing the external attack surface and preventing misuse through brute force, service vulnerabilities, or protocol exploitation."
queryPeriod: 5m
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASOpenPortsMediumRule.yaml
alertDetailsOverride:
alertDisplayNameFormat: 'CYFIRMA - Medium Severity Open Ports Exposure Detected on Assets - Domain: {{Domain}}, IP: {{NetworkIP}}'
alertDescriptionFormat: CYFIRMA - Medium Severity Open Ports Exposure Detected on Assets - {{Description}}
alertDynamicProperties:
- value: DeCYFIR/DeTCT
alertProperty: ProductName
- value: CYFIRMA
alertProperty: ProviderName
query: |
// Medium Severity - Open Ports Exposure Detected
let timeFrame = 5m;
CyfirmaASOpenPortsAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
Domain=sub_domain,
TopDomain=top_domain,
NetworkIP=ip,
AlertUID=alert_uid,
UID=uid,
WebServer=web_server,
WebServerVersion=web_server_version,
OpenPorts=open_ports,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT'
| project
TimeGenerated,
Description,
Domain,
TopDomain,
RiskScore,
FirstSeen,
LastSeen,
NetworkIP,
AlertUID,
UID,
WebServer,
WebServerVersion,
OpenPorts,
ProductName,
ProviderName
version: 1.0.0
id: 9e18b6c3-d172-4bc6-a7d9-cc7b0a03a69e
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: false
lookbackDuration: 5h
matchingMethod: AllEntities
reopenClosedIncident: false
tactics:
- InitialAccess
- CommandAndControl
- Discovery
- DefenseEvasion
- Persistence
eventGroupingSettings:
aggregationKind: AlertPerResult
entityMappings:
- fieldMappings:
- identifier: DomainName
columnName: Domain
entityType: DNS
- fieldMappings:
- identifier: HostName
columnName: TopDomain
- identifier: DnsDomain
columnName: Domain
entityType: Host
- fieldMappings:
- identifier: Address
columnName: NetworkIP
entityType: IP
requiredDataConnectors:
- dataTypes:
- CyfirmaASOpenPortsAlerts_CL
connectorId: CyfirmaAttackSurfaceAlertsConnector
name: CYFIRMA - Attack Surface - Open Ports Medium Rule
severity: Medium
customDetails:
Description: Description
FirstSeen: FirstSeen
OpenPorts: OpenPorts
AlertUID: AlertUID
TimeGenerated: TimeGenerated
RiskScore: RiskScore
UID: UID
WebServerVersion: WebServerVersion
WebServer: WebServer
LastSeen: LastSeen
triggerOperator: gt
triggerThreshold: 0
queryFrequency: 5m
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9e18b6c3-d172-4bc6-a7d9-cc7b0a03a69e')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9e18b6c3-d172-4bc6-a7d9-cc7b0a03a69e')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "CYFIRMA - Medium Severity Open Ports Exposure Detected on Assets - {{Description}}",
"alertDisplayNameFormat": "CYFIRMA - Medium Severity Open Ports Exposure Detected on Assets - Domain: {{Domain}}, IP: {{NetworkIP}}",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "DeCYFIR/DeTCT"
},
{
"alertProperty": "ProviderName",
"value": "CYFIRMA"
}
]
},
"alertRuleTemplateName": "9e18b6c3-d172-4bc6-a7d9-cc7b0a03a69e",
"customDetails": {
"AlertUID": "AlertUID",
"Description": "Description",
"FirstSeen": "FirstSeen",
"LastSeen": "LastSeen",
"OpenPorts": "OpenPorts",
"RiskScore": "RiskScore",
"TimeGenerated": "TimeGenerated",
"UID": "UID",
"WebServer": "WebServer",
"WebServerVersion": "WebServerVersion"
},
"description": "\"This rule is triggered when CYFIRMA identifies open and publicly accessible ports on internet-facing assets. Exposed services may include SSH, RDP, HTTP, or other potentially sensitive ports, increasing the risk of unauthorized access, exploitation, or reconnaissance by threat actors. Monitoring open ports is critical to reducing the external attack surface and preventing misuse through brute force, service vulnerabilities, or protocol exploitation.\"\n",
"displayName": "CYFIRMA - Attack Surface - Open Ports Medium Rule",
"enabled": true,
"entityMappings": [
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "Domain",
"identifier": "DomainName"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "TopDomain",
"identifier": "HostName"
},
{
"columnName": "Domain",
"identifier": "DnsDomain"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "NetworkIP",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASOpenPortsMediumRule.yaml",
"query": "// Medium Severity - Open Ports Exposure Detected\nlet timeFrame = 5m;\nCyfirmaASOpenPortsAlerts_CL\n| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())\n| extend \n Description=description, \n FirstSeen=first_seen, \n LastSeen=last_seen, \n RiskScore=risk_score, \n Domain=sub_domain, \n TopDomain=top_domain, \n NetworkIP=ip, \n AlertUID=alert_uid, \n UID=uid, \n WebServer=web_server, \n WebServerVersion=web_server_version, \n OpenPorts=open_ports, \n ProviderName='CYFIRMA', \n ProductName='DeCYFIR/DeTCT'\n| project\n TimeGenerated,\n Description,\n Domain,\n TopDomain,\n RiskScore,\n FirstSeen,\n LastSeen,\n NetworkIP,\n AlertUID,\n UID,\n WebServer,\n WebServerVersion,\n OpenPorts,\n ProductName,\n ProviderName\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"DefenseEvasion",
"Discovery",
"InitialAccess",
"Persistence"
],
"techniques": [
"T1071",
"T1505",
"T1566"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}