CYFIRMA - Attack Surface - Open Ports Medium Rule
| Id | 9e18b6c3-d172-4bc6-a7d9-cc7b0a03a69e |
| Rulename | CYFIRMA - Attack Surface - Open Ports Medium Rule |
| Description | “This rule is triggered when CYFIRMA identifies open and publicly accessible ports on internet-facing assets. Exposed services may include SSH, RDP, HTTP, or other potentially sensitive ports, increasing the risk of unauthorized access, exploitation, or reconnaissance by threat actors. Monitoring open ports is critical to reducing the external attack surface and preventing misuse through brute force, service vulnerabilities, or protocol exploitation.” |
| Severity | Medium |
| Tactics | InitialAccess CommandAndControl Discovery DefenseEvasion Persistence |
| Techniques | T1566 T1071 T1505 |
| Required data connectors | CyfirmaAttackSurfaceAlertsConnector |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASOpenPortsMediumRule.yaml |
| Version | 1.0.0 |
| Arm template | 9e18b6c3-d172-4bc6-a7d9-cc7b0a03a69e.json |
// Medium Severity - Open Ports Exposure Detected
let timeFrame = 5m;
CyfirmaASOpenPortsAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
Domain=sub_domain,
TopDomain=top_domain,
NetworkIP=ip,
AlertUID=alert_uid,
UID=uid,
WebServer=web_server,
WebServerVersion=web_server_version,
OpenPorts=open_ports,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT'
| project
TimeGenerated,
Description,
Domain,
TopDomain,
RiskScore,
FirstSeen,
LastSeen,
NetworkIP,
AlertUID,
UID,
WebServer,
WebServerVersion,
OpenPorts,
ProductName,
ProviderName
tactics:
- InitialAccess
- CommandAndControl
- Discovery
- DefenseEvasion
- Persistence
name: CYFIRMA - Attack Surface - Open Ports Medium Rule
id: 9e18b6c3-d172-4bc6-a7d9-cc7b0a03a69e
requiredDataConnectors:
- connectorId: CyfirmaAttackSurfaceAlertsConnector
dataTypes:
- CyfirmaASOpenPortsAlerts_CL
query: |
// Medium Severity - Open Ports Exposure Detected
let timeFrame = 5m;
CyfirmaASOpenPortsAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
Domain=sub_domain,
TopDomain=top_domain,
NetworkIP=ip,
AlertUID=alert_uid,
UID=uid,
WebServer=web_server,
WebServerVersion=web_server_version,
OpenPorts=open_ports,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT'
| project
TimeGenerated,
Description,
Domain,
TopDomain,
RiskScore,
FirstSeen,
LastSeen,
NetworkIP,
AlertUID,
UID,
WebServer,
WebServerVersion,
OpenPorts,
ProductName,
ProviderName
eventGroupingSettings:
aggregationKind: AlertPerResult
relevantTechniques:
- T1566
- T1071
- T1505
incidentConfiguration:
createIncident: true
groupingConfiguration:
matchingMethod: AllEntities
reopenClosedIncident: false
lookbackDuration: 5h
enabled: false
description: |
"This rule is triggered when CYFIRMA identifies open and publicly accessible ports on internet-facing assets. Exposed services may include SSH, RDP, HTTP, or other potentially sensitive ports, increasing the risk of unauthorized access, exploitation, or reconnaissance by threat actors. Monitoring open ports is critical to reducing the external attack surface and preventing misuse through brute force, service vulnerabilities, or protocol exploitation."
triggerOperator: gt
queryPeriod: 5m
severity: Medium
entityMappings:
- fieldMappings:
- identifier: DomainName
columnName: Domain
entityType: DNS
- fieldMappings:
- identifier: HostName
columnName: TopDomain
- identifier: DnsDomain
columnName: Domain
entityType: Host
- fieldMappings:
- identifier: Address
columnName: NetworkIP
entityType: IP
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASOpenPortsMediumRule.yaml
version: 1.0.0
alertDetailsOverride:
alertDynamicProperties:
- alertProperty: ProductName
value: DeCYFIR/DeTCT
- alertProperty: ProviderName
value: CYFIRMA
alertDisplayNameFormat: 'CYFIRMA - Medium Severity Open Ports Exposure Detected on Assets - Domain: {{Domain}}, IP: {{NetworkIP}}'
alertDescriptionFormat: CYFIRMA - Medium Severity Open Ports Exposure Detected on Assets - {{Description}}
triggerThreshold: 0
queryFrequency: 5m
kind: Scheduled
status: Available
customDetails:
RiskScore: RiskScore
Description: Description
FirstSeen: FirstSeen
OpenPorts: OpenPorts
TimeGenerated: TimeGenerated
WebServer: WebServer
WebServerVersion: WebServerVersion
LastSeen: LastSeen
AlertUID: AlertUID
UID: UID
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9e18b6c3-d172-4bc6-a7d9-cc7b0a03a69e')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9e18b6c3-d172-4bc6-a7d9-cc7b0a03a69e')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "CYFIRMA - Medium Severity Open Ports Exposure Detected on Assets - {{Description}}",
"alertDisplayNameFormat": "CYFIRMA - Medium Severity Open Ports Exposure Detected on Assets - Domain: {{Domain}}, IP: {{NetworkIP}}",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "DeCYFIR/DeTCT"
},
{
"alertProperty": "ProviderName",
"value": "CYFIRMA"
}
]
},
"alertRuleTemplateName": "9e18b6c3-d172-4bc6-a7d9-cc7b0a03a69e",
"customDetails": {
"AlertUID": "AlertUID",
"Description": "Description",
"FirstSeen": "FirstSeen",
"LastSeen": "LastSeen",
"OpenPorts": "OpenPorts",
"RiskScore": "RiskScore",
"TimeGenerated": "TimeGenerated",
"UID": "UID",
"WebServer": "WebServer",
"WebServerVersion": "WebServerVersion"
},
"description": "\"This rule is triggered when CYFIRMA identifies open and publicly accessible ports on internet-facing assets. Exposed services may include SSH, RDP, HTTP, or other potentially sensitive ports, increasing the risk of unauthorized access, exploitation, or reconnaissance by threat actors. Monitoring open ports is critical to reducing the external attack surface and preventing misuse through brute force, service vulnerabilities, or protocol exploitation.\"\n",
"displayName": "CYFIRMA - Attack Surface - Open Ports Medium Rule",
"enabled": true,
"entityMappings": [
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "Domain",
"identifier": "DomainName"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "TopDomain",
"identifier": "HostName"
},
{
"columnName": "Domain",
"identifier": "DnsDomain"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "NetworkIP",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASOpenPortsMediumRule.yaml",
"query": "// Medium Severity - Open Ports Exposure Detected\nlet timeFrame = 5m;\nCyfirmaASOpenPortsAlerts_CL\n| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())\n| extend \n Description=description, \n FirstSeen=first_seen, \n LastSeen=last_seen, \n RiskScore=risk_score, \n Domain=sub_domain, \n TopDomain=top_domain, \n NetworkIP=ip, \n AlertUID=alert_uid, \n UID=uid, \n WebServer=web_server, \n WebServerVersion=web_server_version, \n OpenPorts=open_ports, \n ProviderName='CYFIRMA', \n ProductName='DeCYFIR/DeTCT'\n| project\n TimeGenerated,\n Description,\n Domain,\n TopDomain,\n RiskScore,\n FirstSeen,\n LastSeen,\n NetworkIP,\n AlertUID,\n UID,\n WebServer,\n WebServerVersion,\n OpenPorts,\n ProductName,\n ProviderName\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"DefenseEvasion",
"Discovery",
"InitialAccess",
"Persistence"
],
"techniques": [
"T1071",
"T1505",
"T1566"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}