CYFIRMA - Attack Surface - Open Ports Medium Rule

// Medium Severity - Open Ports Exposure Detected
let timeFrame = 5m;
CyfirmaASOpenPortsAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend 
    Description=description, 
    FirstSeen=first_seen, 
    LastSeen=last_seen, 
    RiskScore=risk_score, 
    Domain=sub_domain, 
    TopDomain=top_domain, 
    NetworkIP=ip, 
    AlertUID=alert_uid, 
    UID=uid, 
    WebServer=web_server, 
    WebServerVersion=web_server_version, 
    OpenPorts=open_ports, 
    ProviderName='CYFIRMA', 
    ProductName='DeCYFIR/DeTCT'
| project
    TimeGenerated,
    Description,
    Domain,
    TopDomain,
    RiskScore,
    FirstSeen,
    LastSeen,
    NetworkIP,
    AlertUID,
    UID,
    WebServer,
    WebServerVersion,
    OpenPorts,
    ProductName,
    ProviderName

alertDetailsOverride:
  alertDisplayNameFormat: 'CYFIRMA - Medium Severity Open Ports Exposure Detected on Assets - Domain: {{Domain}}, IP: {{NetworkIP}}'
  alertDynamicProperties:
  - value: DeCYFIR/DeTCT
    alertProperty: ProductName
  - value: CYFIRMA
    alertProperty: ProviderName
  alertDescriptionFormat: CYFIRMA - Medium Severity Open Ports Exposure Detected on Assets - {{Description}}
incidentConfiguration:
  groupingConfiguration:
    enabled: false
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
  createIncident: true
customDetails:
  AlertUID: AlertUID
  FirstSeen: FirstSeen
  Description: Description
  OpenPorts: OpenPorts
  UID: UID
  RiskScore: RiskScore
  WebServerVersion: WebServerVersion
  WebServer: WebServer
  LastSeen: LastSeen
  TimeGenerated: TimeGenerated
relevantTechniques:
- T1566
- T1071
- T1505
queryFrequency: 5m
tactics:
- InitialAccess
- CommandAndControl
- Discovery
- DefenseEvasion
- Persistence
version: 1.0.1
triggerOperator: gt
name: CYFIRMA - Attack Surface - Open Ports Medium Rule
description: |
    "This rule is triggered when CYFIRMA identifies open and publicly accessible ports on internet-facing assets. Exposed services may include SSH, RDP, HTTP, or other potentially sensitive ports, increasing the risk of unauthorized access, exploitation, or reconnaissance by threat actors. Monitoring open ports is critical to reducing the external attack surface and preventing misuse through brute force, service vulnerabilities, or protocol exploitation."
entityMappings:
- entityType: DNS
  fieldMappings:
  - columnName: Domain
    identifier: DomainName
- entityType: Host
  fieldMappings:
  - columnName: TopDomain
    identifier: HostName
  - columnName: Domain
    identifier: DnsDomain
- entityType: IP
  fieldMappings:
  - columnName: NetworkIP
    identifier: Address
eventGroupingSettings:
  aggregationKind: AlertPerResult
status: Available
id: 9e18b6c3-d172-4bc6-a7d9-cc7b0a03a69e
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASOpenPortsMediumRule.yaml
kind: Scheduled
triggerThreshold: 0
queryPeriod: 5m
requiredDataConnectors:
- connectorId: CyfirmaAttackSurfaceAlertsConnector
  dataTypes:
  - CyfirmaASOpenPortsAlerts_CL
severity: Medium
query: |
  // Medium Severity - Open Ports Exposure Detected
  let timeFrame = 5m;
  CyfirmaASOpenPortsAlerts_CL
  | where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
  | extend 
      Description=description, 
      FirstSeen=first_seen, 
      LastSeen=last_seen, 
      RiskScore=risk_score, 
      Domain=sub_domain, 
      TopDomain=top_domain, 
      NetworkIP=ip, 
      AlertUID=alert_uid, 
      UID=uid, 
      WebServer=web_server, 
      WebServerVersion=web_server_version, 
      OpenPorts=open_ports, 
      ProviderName='CYFIRMA', 
      ProductName='DeCYFIR/DeTCT'
  | project
      TimeGenerated,
      Description,
      Domain,
      TopDomain,
      RiskScore,
      FirstSeen,
      LastSeen,
      NetworkIP,
      AlertUID,
      UID,
      WebServer,
      WebServerVersion,
      OpenPorts,
      ProductName,
      ProviderName