CYFIRMA - Attack Surface - DomainIP Vulnerability Exposure Medium Rule
| Id | a2f2c91b-5796-45e4-82c7-61763e6c2c9c |
| Rulename | CYFIRMA - Attack Surface - Domain/IP Vulnerability Exposure Medium Rule |
| Description | “This rule is triggered when CYFIRMA identifies publicly exposed vulnerabilities on domains or IP addresses within your organization’s attack surface. These vulnerabilities may include outdated software, missing patches, insecure services, or misconfigurations that can be exploited by threat actors.Such exposure significantly increases the risk of exploitation, lateral movement, or data breach. Immediate investigation and remediation are recommended.” |
| Severity | Medium |
| Tactics | InitialAccess Discovery DefenseEvasion Persistence Execution Impact PrivilegeEscalation |
| Techniques | T1505 T1068 T1046 T1499 |
| Required data connectors | CyfirmaAttackSurfaceAlertsConnector |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASDomainIPVulnerabilitiesMediumRule.yaml |
| Version | 1.0.0 |
| Arm template | a2f2c91b-5796-45e4-82c7-61763e6c2c9c.json |
// Medium Severity Domain/IP Vulnerability Exposure Detected
let timeFrame = 5m;
CyfirmaASDomainIPVulnerabilityAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| mv-expand pvuln = possible_vulnerabilities
| extend cve = tostring(pvuln.cveNo), vulProducts = pvuln.products
| mv-expand vul_Products = vulProducts
| summarize cveList = make_set(cve, 100), vul_products1 = make_set(vul_Products, 100) by uid
| join kind=inner (CyfirmaASDomainIPVulnerabilityAlerts_CL
| where severity == 'High'
| summarize arg_max(TimeGenerated, *) by uid)
on uid
| extend
Vulnerabilities = strcat_array(cveList, ', '),
VulnerabilityProducts = strcat_array(vul_products1, ', '),
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
Domain=sub_domain,
TopDomain=top_domain,
NetworkIP=ip,
AlertUID=alert_uid,
UID=uid,
OpenPorts=open_ports,
HostProvider=host_provider,
Country=country,
Softwares=softwares,
WebServer=web_server,
WebServerVersion=web_server_version,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT'
| project
TimeGenerated,
Description,
Domain,
TopDomain,
RiskScore,
FirstSeen,
LastSeen,
NetworkIP,
AlertUID,
UID,
Vulnerabilities,
VulnerabilityProducts,
OpenPorts,
HostProvider,
Country,
Softwares,
WebServer,
WebServerVersion,
ProviderName,
ProductName
status: Available
relevantTechniques:
- T1505
- T1068
- T1046
- T1499
description: |
"This rule is triggered when CYFIRMA identifies publicly exposed vulnerabilities on domains or IP addresses within your organization's attack surface. These vulnerabilities may include outdated software, missing patches, insecure services, or misconfigurations that can be exploited by threat actors.Such exposure significantly increases the risk of exploitation, lateral movement, or data breach. Immediate investigation and remediation are recommended."
queryPeriod: 5m
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASDomainIPVulnerabilitiesMediumRule.yaml
alertDetailsOverride:
alertDisplayNameFormat: 'CYFIRMA - Medium Severity Domain/IP Vulnerability Exposure Detected - Domain: {{Domain}}, IP: {{NetworkIP}}'
alertDescriptionFormat: CYFIRMA - Medium Severity Domain/IP Vulnerability Exposure Detected - {{Description}}
alertDynamicProperties:
- value: ProductName
alertProperty: ProductName
- value: ProviderName
alertProperty: ProviderName
query: |
// Medium Severity Domain/IP Vulnerability Exposure Detected
let timeFrame = 5m;
CyfirmaASDomainIPVulnerabilityAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| mv-expand pvuln = possible_vulnerabilities
| extend cve = tostring(pvuln.cveNo), vulProducts = pvuln.products
| mv-expand vul_Products = vulProducts
| summarize cveList = make_set(cve, 100), vul_products1 = make_set(vul_Products, 100) by uid
| join kind=inner (CyfirmaASDomainIPVulnerabilityAlerts_CL
| where severity == 'High'
| summarize arg_max(TimeGenerated, *) by uid)
on uid
| extend
Vulnerabilities = strcat_array(cveList, ', '),
VulnerabilityProducts = strcat_array(vul_products1, ', '),
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
Domain=sub_domain,
TopDomain=top_domain,
NetworkIP=ip,
AlertUID=alert_uid,
UID=uid,
OpenPorts=open_ports,
HostProvider=host_provider,
Country=country,
Softwares=softwares,
WebServer=web_server,
WebServerVersion=web_server_version,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT'
| project
TimeGenerated,
Description,
Domain,
TopDomain,
RiskScore,
FirstSeen,
LastSeen,
NetworkIP,
AlertUID,
UID,
Vulnerabilities,
VulnerabilityProducts,
OpenPorts,
HostProvider,
Country,
Softwares,
WebServer,
WebServerVersion,
ProviderName,
ProductName
version: 1.0.0
id: a2f2c91b-5796-45e4-82c7-61763e6c2c9c
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: false
lookbackDuration: 5h
matchingMethod: AllEntities
reopenClosedIncident: false
tactics:
- InitialAccess
- Discovery
- DefenseEvasion
- Persistence
- Execution
- Impact
- PrivilegeEscalation
eventGroupingSettings:
aggregationKind: AlertPerResult
entityMappings:
- fieldMappings:
- identifier: DomainName
columnName: Domain
entityType: DNS
- fieldMappings:
- identifier: HostName
columnName: TopDomain
- identifier: DnsDomain
columnName: Domain
entityType: Host
- fieldMappings:
- identifier: Address
columnName: NetworkIP
entityType: IP
requiredDataConnectors:
- dataTypes:
- CyfirmaASDomainIPVulnerabilityAlerts_CL
connectorId: CyfirmaAttackSurfaceAlertsConnector
name: CYFIRMA - Attack Surface - Domain/IP Vulnerability Exposure Medium Rule
severity: Medium
customDetails:
LastSeen: LastSeen
UID: UID
AlertUID: AlertUID
Country: Country
TimeGenerated: TimeGenerated
FirstSeen: FirstSeen
RiskScore: RiskScore
vulnerableProducts: VulnerabilityProducts
Vulnerabilities: Vulnerabilities
OpenPorts: OpenPorts
WebServerVersion: WebServerVersion
HostProvider: HostProvider
Softwares: Softwares
WebServer: WebServer
triggerOperator: gt
triggerThreshold: 0
queryFrequency: 5m
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a2f2c91b-5796-45e4-82c7-61763e6c2c9c')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a2f2c91b-5796-45e4-82c7-61763e6c2c9c')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "CYFIRMA - Medium Severity Domain/IP Vulnerability Exposure Detected - {{Description}}",
"alertDisplayNameFormat": "CYFIRMA - Medium Severity Domain/IP Vulnerability Exposure Detected - Domain: {{Domain}}, IP: {{NetworkIP}}",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "a2f2c91b-5796-45e4-82c7-61763e6c2c9c",
"customDetails": {
"AlertUID": "AlertUID",
"Country": "Country",
"FirstSeen": "FirstSeen",
"HostProvider": "HostProvider",
"LastSeen": "LastSeen",
"OpenPorts": "OpenPorts",
"RiskScore": "RiskScore",
"Softwares": "Softwares",
"TimeGenerated": "TimeGenerated",
"UID": "UID",
"Vulnerabilities": "Vulnerabilities",
"vulnerableProducts": "VulnerabilityProducts",
"WebServer": "WebServer",
"WebServerVersion": "WebServerVersion"
},
"description": "\"This rule is triggered when CYFIRMA identifies publicly exposed vulnerabilities on domains or IP addresses within your organization's attack surface. These vulnerabilities may include outdated software, missing patches, insecure services, or misconfigurations that can be exploited by threat actors.Such exposure significantly increases the risk of exploitation, lateral movement, or data breach. Immediate investigation and remediation are recommended.\"\n",
"displayName": "CYFIRMA - Attack Surface - Domain/IP Vulnerability Exposure Medium Rule",
"enabled": true,
"entityMappings": [
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "Domain",
"identifier": "DomainName"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "TopDomain",
"identifier": "HostName"
},
{
"columnName": "Domain",
"identifier": "DnsDomain"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "NetworkIP",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASDomainIPVulnerabilitiesMediumRule.yaml",
"query": "// Medium Severity Domain/IP Vulnerability Exposure Detected\nlet timeFrame = 5m;\nCyfirmaASDomainIPVulnerabilityAlerts_CL\n| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())\n| mv-expand pvuln = possible_vulnerabilities\n| extend cve = tostring(pvuln.cveNo), vulProducts = pvuln.products\n| mv-expand vul_Products = vulProducts\n| summarize cveList = make_set(cve, 100), vul_products1 = make_set(vul_Products, 100) by uid\n| join kind=inner (CyfirmaASDomainIPVulnerabilityAlerts_CL\n | where severity == 'High'\n | summarize arg_max(TimeGenerated, *) by uid)\n on uid\n| extend\n Vulnerabilities = strcat_array(cveList, ', '),\n VulnerabilityProducts = strcat_array(vul_products1, ', '),\n Description=description,\n FirstSeen=first_seen,\n LastSeen=last_seen,\n RiskScore=risk_score,\n Domain=sub_domain,\n TopDomain=top_domain,\n NetworkIP=ip,\n AlertUID=alert_uid,\n UID=uid,\n OpenPorts=open_ports,\n HostProvider=host_provider,\n Country=country,\n Softwares=softwares,\n WebServer=web_server,\n WebServerVersion=web_server_version,\n ProviderName='CYFIRMA',\n ProductName='DeCYFIR/DeTCT'\n| project\n TimeGenerated,\n Description,\n Domain,\n TopDomain,\n RiskScore,\n FirstSeen,\n LastSeen,\n NetworkIP,\n AlertUID,\n UID,\n Vulnerabilities,\n VulnerabilityProducts,\n OpenPorts,\n HostProvider,\n Country,\n Softwares,\n WebServer,\n WebServerVersion,\n ProviderName,\n ProductName\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion",
"Discovery",
"Execution",
"Impact",
"InitialAccess",
"Persistence",
"PrivilegeEscalation"
],
"techniques": [
"T1046",
"T1068",
"T1499",
"T1505"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}