CYFIRMA - Attack Surface - Cloud Weakness Medium Rule
| Id | b8a3c5e2-04d5-4b61-9b62-b4f53a417f74 |
| Rulename | CYFIRMA - Attack Surface - Cloud Weakness Medium Rule |
| Description | “This rule detects cloud storage buckets (e.g., AWS S3) that are publicly accessible without authentication. Such misconfigurations can lead to data exfiltration, compliance violations, and reputational damage. The detection is based on Cyfirma’s Attack Surface Intelligence.” |
| Severity | Medium |
| Tactics | InitialAccess Collection Discovery Exfiltration |
| Techniques | T1087 T1087.004 |
| Required data connectors | CyfirmaAttackSurfaceAlertsConnector |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASCloudWeaknessMediumRule.yaml |
| Version | 1.0.0 |
| Arm template | b8a3c5e2-04d5-4b61-9b62-b4f53a417f74.json |
// Medium Severity - Attack Surface - Cloud Weakness - Unauthorized Public Cloud Storage Exposure Detected
let timeFrame = 5m;
CyfirmaASCloudWeaknessAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
Domain=asset_name,
AlertUID=alert_uid,
UID=uid,
Source=source,
SourceType=source_type,
CreatedDate=created_date,
Impact=impact,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT'
| project
TimeGenerated,
Description,
Domain,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
Source,
SourceType,
CreatedDate,
Impact,
ProviderName,
ProductName
requiredDataConnectors:
- connectorId: CyfirmaAttackSurfaceAlertsConnector
dataTypes:
- CyfirmaASCloudWeaknessAlerts_CL
tactics:
- InitialAccess
- Collection
- Discovery
- Exfiltration
eventGroupingSettings:
aggregationKind: AlertPerResult
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: false
lookbackDuration: 5h
matchingMethod: AllEntities
reopenClosedIncident: false
description: |
"This rule detects cloud storage buckets (e.g., AWS S3) that are publicly accessible without authentication.
Such misconfigurations can lead to data exfiltration, compliance violations, and reputational damage.
The detection is based on Cyfirma's Attack Surface Intelligence."
query: |
// Medium Severity - Attack Surface - Cloud Weakness - Unauthorized Public Cloud Storage Exposure Detected
let timeFrame = 5m;
CyfirmaASCloudWeaknessAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
Domain=asset_name,
AlertUID=alert_uid,
UID=uid,
Source=source,
SourceType=source_type,
CreatedDate=created_date,
Impact=impact,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT'
| project
TimeGenerated,
Description,
Domain,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
Source,
SourceType,
CreatedDate,
Impact,
ProviderName,
ProductName
id: b8a3c5e2-04d5-4b61-9b62-b4f53a417f74
triggerOperator: gt
alertDetailsOverride:
alertDisplayNameFormat: 'CYFIRMA - Medium Severity Alert - Unauthorized Public Cloud Storage Exposure Detected - Domain: {{Domain}}'
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: ProviderName
value: ProviderName
alertDescriptionFormat: CYFIRMA - Medium Severity Alert - Unauthorized Public Cloud Storage Exposure Detected - {{Description}}
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASCloudWeaknessMediumRule.yaml
queryFrequency: 5m
severity: Medium
entityMappings:
- fieldMappings:
- columnName: Domain
identifier: DomainName
entityType: DNS
name: CYFIRMA - Attack Surface - Cloud Weakness Medium Rule
queryPeriod: 5m
relevantTechniques:
- T1087
- T1087.004
kind: Scheduled
triggerThreshold: 0
version: 1.0.0
customDetails:
SourceType: SourceType
FirstSeen: FirstSeen
CreatedDate: CreatedDate
Impact: Impact
TimeGenerated: TimeGenerated
UID: UID
AlertUID: AlertUID
Source: Source
RiskScore: RiskScore
LastSeen: LastSeen
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b8a3c5e2-04d5-4b61-9b62-b4f53a417f74')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b8a3c5e2-04d5-4b61-9b62-b4f53a417f74')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "CYFIRMA - Medium Severity Alert - Unauthorized Public Cloud Storage Exposure Detected - {{Description}}",
"alertDisplayNameFormat": "CYFIRMA - Medium Severity Alert - Unauthorized Public Cloud Storage Exposure Detected - Domain: {{Domain}}",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "b8a3c5e2-04d5-4b61-9b62-b4f53a417f74",
"customDetails": {
"AlertUID": "AlertUID",
"CreatedDate": "CreatedDate",
"FirstSeen": "FirstSeen",
"Impact": "Impact",
"LastSeen": "LastSeen",
"RiskScore": "RiskScore",
"Source": "Source",
"SourceType": "SourceType",
"TimeGenerated": "TimeGenerated",
"UID": "UID"
},
"description": "\"This rule detects cloud storage buckets (e.g., AWS S3) that are publicly accessible without authentication. \nSuch misconfigurations can lead to data exfiltration, compliance violations, and reputational damage. \nThe detection is based on Cyfirma's Attack Surface Intelligence.\"\n",
"displayName": "CYFIRMA - Attack Surface - Cloud Weakness Medium Rule",
"enabled": true,
"entityMappings": [
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "Domain",
"identifier": "DomainName"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASCloudWeaknessMediumRule.yaml",
"query": "// Medium Severity - Attack Surface - Cloud Weakness - Unauthorized Public Cloud Storage Exposure Detected\nlet timeFrame = 5m;\nCyfirmaASCloudWeaknessAlerts_CL\n| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())\n| extend\n Description=description,\n FirstSeen=first_seen,\n LastSeen=last_seen,\n RiskScore=risk_score,\n Domain=asset_name,\n AlertUID=alert_uid,\n UID=uid,\n Source=source,\n SourceType=source_type,\n CreatedDate=created_date,\n Impact=impact,\n ProviderName='CYFIRMA',\n ProductName='DeCYFIR/DeTCT'\n| project\n TimeGenerated,\n Description,\n Domain,\n RiskScore,\n FirstSeen,\n LastSeen,\n AlertUID,\n UID,\n Source,\n SourceType,\n CreatedDate,\n Impact,\n ProviderName,\n ProductName\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"status": "Available",
"subTechniques": [
"T1087.004"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Collection",
"Discovery",
"Exfiltration",
"InitialAccess"
],
"techniques": [
"T1087"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}