Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CYFIRMA - Attack Surface - DomainIP Vulnerability Exposure Medium Rule

Back
Ida2f2c91b-5796-45e4-82c7-61763e6c2c9c
RulenameCYFIRMA - Attack Surface - Domain/IP Vulnerability Exposure Medium Rule
Description“This rule is triggered when CYFIRMA identifies publicly exposed vulnerabilities on domains or IP addresses within your organization’s attack surface. These vulnerabilities may include outdated software, missing patches, insecure services, or misconfigurations that can be exploited by threat actors.Such exposure significantly increases the risk of exploitation, lateral movement, or data breach. Immediate investigation and remediation are recommended.”
SeverityMedium
TacticsInitialAccess
Discovery
DefenseEvasion
Persistence
Execution
Impact
PrivilegeEscalation
TechniquesT1505
T1068
T1046
T1499
Required data connectorsCyfirmaAttackSurfaceAlertsConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASDomainIPVulnerabilitiesMediumRule.yaml
Version1.0.0
Arm templatea2f2c91b-5796-45e4-82c7-61763e6c2c9c.json
Deploy To Azure
// Medium Severity Domain/IP Vulnerability Exposure Detected
let timeFrame = 5m;
CyfirmaASDomainIPVulnerabilityAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| mv-expand pvuln = possible_vulnerabilities
| extend cve = tostring(pvuln.cveNo), vulProducts = pvuln.products
| mv-expand vul_Products = vulProducts
| summarize cveList = make_set(cve, 100), vul_products1 = make_set(vul_Products, 100)    by uid
| join kind=inner (CyfirmaASDomainIPVulnerabilityAlerts_CL
    | where severity == 'High'
    | summarize arg_max(TimeGenerated, *) by uid)
    on uid
| extend
    Vulnerabilities = strcat_array(cveList, ', '),
    VulnerabilityProducts = strcat_array(vul_products1, ', '),
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    Domain=sub_domain,
    TopDomain=top_domain,
    NetworkIP=ip,
    AlertUID=alert_uid,
    UID=uid,
    OpenPorts=open_ports,
    HostProvider=host_provider,
    Country=country,
    Softwares=softwares,
    WebServer=web_server,
    WebServerVersion=web_server_version,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT'
| project
    TimeGenerated,
    Description,
    Domain,
    TopDomain,
    RiskScore,
    FirstSeen,
    LastSeen,
    NetworkIP,
    AlertUID,
    UID,
    Vulnerabilities,
    VulnerabilityProducts,
    OpenPorts,
    HostProvider,
    Country,
    Softwares,
    WebServer,
    WebServerVersion,
    ProviderName,
    ProductName
tactics:
- InitialAccess
- Discovery
- DefenseEvasion
- Persistence
- Execution
- Impact
- PrivilegeEscalation
name: CYFIRMA - Attack Surface - Domain/IP Vulnerability Exposure Medium Rule
id: a2f2c91b-5796-45e4-82c7-61763e6c2c9c
requiredDataConnectors:
- connectorId: CyfirmaAttackSurfaceAlertsConnector
  dataTypes:
  - CyfirmaASDomainIPVulnerabilityAlerts_CL
query: |
  // Medium Severity Domain/IP Vulnerability Exposure Detected
  let timeFrame = 5m;
  CyfirmaASDomainIPVulnerabilityAlerts_CL
  | where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
  | mv-expand pvuln = possible_vulnerabilities
  | extend cve = tostring(pvuln.cveNo), vulProducts = pvuln.products
  | mv-expand vul_Products = vulProducts
  | summarize cveList = make_set(cve, 100), vul_products1 = make_set(vul_Products, 100)    by uid
  | join kind=inner (CyfirmaASDomainIPVulnerabilityAlerts_CL
      | where severity == 'High'
      | summarize arg_max(TimeGenerated, *) by uid)
      on uid
  | extend
      Vulnerabilities = strcat_array(cveList, ', '),
      VulnerabilityProducts = strcat_array(vul_products1, ', '),
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      Domain=sub_domain,
      TopDomain=top_domain,
      NetworkIP=ip,
      AlertUID=alert_uid,
      UID=uid,
      OpenPorts=open_ports,
      HostProvider=host_provider,
      Country=country,
      Softwares=softwares,
      WebServer=web_server,
      WebServerVersion=web_server_version,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT'
  | project
      TimeGenerated,
      Description,
      Domain,
      TopDomain,
      RiskScore,
      FirstSeen,
      LastSeen,
      NetworkIP,
      AlertUID,
      UID,
      Vulnerabilities,
      VulnerabilityProducts,
      OpenPorts,
      HostProvider,
      Country,
      Softwares,
      WebServer,
      WebServerVersion,
      ProviderName,
      ProductName  
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1505
- T1068
- T1046
- T1499
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    reopenClosedIncident: false
    lookbackDuration: 5h
    enabled: false
description: |
    "This rule is triggered when CYFIRMA identifies publicly exposed vulnerabilities on domains or IP addresses within your organization's attack surface. These vulnerabilities may include outdated software, missing patches, insecure services, or misconfigurations that can be exploited by threat actors.Such exposure significantly increases the risk of exploitation, lateral movement, or data breach. Immediate investigation and remediation are recommended."
triggerOperator: gt
queryPeriod: 5m
severity: Medium
entityMappings:
- fieldMappings:
  - identifier: DomainName
    columnName: Domain
  entityType: DNS
- fieldMappings:
  - identifier: HostName
    columnName: TopDomain
  - identifier: DnsDomain
    columnName: Domain
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: NetworkIP
  entityType: IP
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASDomainIPVulnerabilitiesMediumRule.yaml
version: 1.0.0
alertDetailsOverride:
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
  alertDisplayNameFormat: 'CYFIRMA - Medium Severity Domain/IP Vulnerability Exposure Detected - Domain: {{Domain}}, IP: {{NetworkIP}}'
  alertDescriptionFormat: CYFIRMA - Medium Severity Domain/IP Vulnerability Exposure Detected - {{Description}}
triggerThreshold: 0
queryFrequency: 5m
kind: Scheduled
status: Available
customDetails:
  Softwares: Softwares
  OpenPorts: OpenPorts
  Vulnerabilities: Vulnerabilities
  Country: Country
  vulnerableProducts: VulnerabilityProducts
  TimeGenerated: TimeGenerated
  WebServerVersion: WebServerVersion
  UID: UID
  HostProvider: HostProvider
  LastSeen: LastSeen
  RiskScore: RiskScore
  WebServer: WebServer
  FirstSeen: FirstSeen
  AlertUID: AlertUID
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a2f2c91b-5796-45e4-82c7-61763e6c2c9c')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a2f2c91b-5796-45e4-82c7-61763e6c2c9c')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "CYFIRMA - Medium Severity Domain/IP Vulnerability Exposure Detected - {{Description}}",
          "alertDisplayNameFormat": "CYFIRMA - Medium Severity Domain/IP Vulnerability Exposure Detected - Domain: {{Domain}}, IP: {{NetworkIP}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            },
            {
              "alertProperty": "ProviderName",
              "value": "ProviderName"
            }
          ]
        },
        "alertRuleTemplateName": "a2f2c91b-5796-45e4-82c7-61763e6c2c9c",
        "customDetails": {
          "AlertUID": "AlertUID",
          "Country": "Country",
          "FirstSeen": "FirstSeen",
          "HostProvider": "HostProvider",
          "LastSeen": "LastSeen",
          "OpenPorts": "OpenPorts",
          "RiskScore": "RiskScore",
          "Softwares": "Softwares",
          "TimeGenerated": "TimeGenerated",
          "UID": "UID",
          "Vulnerabilities": "Vulnerabilities",
          "vulnerableProducts": "VulnerabilityProducts",
          "WebServer": "WebServer",
          "WebServerVersion": "WebServerVersion"
        },
        "description": "\"This rule is triggered when CYFIRMA identifies publicly exposed vulnerabilities on domains or IP addresses within your organization's attack surface. These vulnerabilities may include outdated software, missing patches, insecure services, or misconfigurations that can be exploited by threat actors.Such exposure significantly increases the risk of exploitation, lateral movement, or data breach. Immediate investigation and remediation are recommended.\"\n",
        "displayName": "CYFIRMA - Attack Surface - Domain/IP Vulnerability Exposure Medium Rule",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "DNS",
            "fieldMappings": [
              {
                "columnName": "Domain",
                "identifier": "DomainName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "TopDomain",
                "identifier": "HostName"
              },
              {
                "columnName": "Domain",
                "identifier": "DnsDomain"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "NetworkIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASDomainIPVulnerabilitiesMediumRule.yaml",
        "query": "// Medium Severity Domain/IP Vulnerability Exposure Detected\nlet timeFrame = 5m;\nCyfirmaASDomainIPVulnerabilityAlerts_CL\n| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())\n| mv-expand pvuln = possible_vulnerabilities\n| extend cve = tostring(pvuln.cveNo), vulProducts = pvuln.products\n| mv-expand vul_Products = vulProducts\n| summarize cveList = make_set(cve, 100), vul_products1 = make_set(vul_Products, 100)    by uid\n| join kind=inner (CyfirmaASDomainIPVulnerabilityAlerts_CL\n    | where severity == 'High'\n    | summarize arg_max(TimeGenerated, *) by uid)\n    on uid\n| extend\n    Vulnerabilities = strcat_array(cveList, ', '),\n    VulnerabilityProducts = strcat_array(vul_products1, ', '),\n    Description=description,\n    FirstSeen=first_seen,\n    LastSeen=last_seen,\n    RiskScore=risk_score,\n    Domain=sub_domain,\n    TopDomain=top_domain,\n    NetworkIP=ip,\n    AlertUID=alert_uid,\n    UID=uid,\n    OpenPorts=open_ports,\n    HostProvider=host_provider,\n    Country=country,\n    Softwares=softwares,\n    WebServer=web_server,\n    WebServerVersion=web_server_version,\n    ProviderName='CYFIRMA',\n    ProductName='DeCYFIR/DeTCT'\n| project\n    TimeGenerated,\n    Description,\n    Domain,\n    TopDomain,\n    RiskScore,\n    FirstSeen,\n    LastSeen,\n    NetworkIP,\n    AlertUID,\n    UID,\n    Vulnerabilities,\n    VulnerabilityProducts,\n    OpenPorts,\n    HostProvider,\n    Country,\n    Softwares,\n    WebServer,\n    WebServerVersion,\n    ProviderName,\n    ProductName\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "Discovery",
          "Execution",
          "Impact",
          "InitialAccess",
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1046",
          "T1068",
          "T1499",
          "T1505"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}