Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CYFIRMA - Attack Surface - Cloud Weakness Medium Rule

Back
Idb8a3c5e2-04d5-4b61-9b62-b4f53a417f74
RulenameCYFIRMA - Attack Surface - Cloud Weakness Medium Rule
Description“This rule detects cloud storage buckets (e.g., AWS S3) that are publicly accessible without authentication.

Such misconfigurations can lead to data exfiltration, compliance violations, and reputational damage.

The detection is based on Cyfirma’s Attack Surface Intelligence.”
SeverityMedium
TacticsInitialAccess
Collection
Discovery
Exfiltration
TechniquesT1087
T1087.004
Required data connectorsCyfirmaAttackSurfaceAlertsConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASCloudWeaknessMediumRule.yaml
Version1.0.0
Arm templateb8a3c5e2-04d5-4b61-9b62-b4f53a417f74.json
Deploy To Azure
// Medium Severity - Attack Surface - Cloud Weakness - Unauthorized Public Cloud Storage Exposure Detected
let timeFrame = 5m;
CyfirmaASCloudWeaknessAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    Domain=asset_name,
    AlertUID=alert_uid,
    UID=uid,
    Source=source,
    SourceType=source_type,
    CreatedDate=created_date,
    Impact=impact,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT'
| project
    TimeGenerated,
    Description,
    Domain,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    Source,
    SourceType,
    CreatedDate,
    Impact,
    ProviderName,
    ProductName
entityMappings:
- fieldMappings:
  - columnName: Domain
    identifier: DomainName
  entityType: DNS
triggerThreshold: 0
severity: Medium
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 5h
    enabled: false
    matchingMethod: AllEntities
    reopenClosedIncident: false
queryFrequency: 5m
status: Available
customDetails:
  CreatedDate: CreatedDate
  TimeGenerated: TimeGenerated
  LastSeen: LastSeen
  Impact: Impact
  RiskScore: RiskScore
  SourceType: SourceType
  FirstSeen: FirstSeen
  Source: Source
  UID: UID
  AlertUID: AlertUID
relevantTechniques:
- T1087
- T1087.004
alertDetailsOverride:
  alertDisplayNameFormat: 'CYFIRMA - Medium Severity Alert - Unauthorized Public Cloud Storage Exposure Detected - Domain: {{Domain}}'
  alertDescriptionFormat: CYFIRMA - Medium Severity Alert - Unauthorized Public Cloud Storage Exposure Detected - {{Description}}
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASCloudWeaknessMediumRule.yaml
triggerOperator: gt
id: b8a3c5e2-04d5-4b61-9b62-b4f53a417f74
requiredDataConnectors:
- connectorId: CyfirmaAttackSurfaceAlertsConnector
  dataTypes:
  - CyfirmaASCloudWeaknessAlerts_CL
version: 1.0.0
name: CYFIRMA - Attack Surface - Cloud Weakness Medium Rule
eventGroupingSettings:
  aggregationKind: AlertPerResult
description: |
  "This rule detects cloud storage buckets (e.g., AWS S3) that are publicly accessible without authentication. 
  Such misconfigurations can lead to data exfiltration, compliance violations, and reputational damage. 
  The detection is based on Cyfirma's Attack Surface Intelligence."  
query: |
  // Medium Severity - Attack Surface - Cloud Weakness - Unauthorized Public Cloud Storage Exposure Detected
  let timeFrame = 5m;
  CyfirmaASCloudWeaknessAlerts_CL
  | where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      Domain=asset_name,
      AlertUID=alert_uid,
      UID=uid,
      Source=source,
      SourceType=source_type,
      CreatedDate=created_date,
      Impact=impact,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT'
  | project
      TimeGenerated,
      Description,
      Domain,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      Source,
      SourceType,
      CreatedDate,
      Impact,
      ProviderName,
      ProductName  
tactics:
- InitialAccess
- Collection
- Discovery
- Exfiltration
queryPeriod: 5m
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b8a3c5e2-04d5-4b61-9b62-b4f53a417f74')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b8a3c5e2-04d5-4b61-9b62-b4f53a417f74')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "CYFIRMA - Medium Severity Alert - Unauthorized Public Cloud Storage Exposure Detected - {{Description}}",
          "alertDisplayNameFormat": "CYFIRMA - Medium Severity Alert - Unauthorized Public Cloud Storage Exposure Detected - Domain: {{Domain}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            },
            {
              "alertProperty": "ProviderName",
              "value": "ProviderName"
            }
          ]
        },
        "alertRuleTemplateName": "b8a3c5e2-04d5-4b61-9b62-b4f53a417f74",
        "customDetails": {
          "AlertUID": "AlertUID",
          "CreatedDate": "CreatedDate",
          "FirstSeen": "FirstSeen",
          "Impact": "Impact",
          "LastSeen": "LastSeen",
          "RiskScore": "RiskScore",
          "Source": "Source",
          "SourceType": "SourceType",
          "TimeGenerated": "TimeGenerated",
          "UID": "UID"
        },
        "description": "\"This rule detects cloud storage buckets (e.g., AWS S3) that are publicly accessible without authentication. \nSuch misconfigurations can lead to data exfiltration, compliance violations, and reputational damage. \nThe detection is based on Cyfirma's Attack Surface Intelligence.\"\n",
        "displayName": "CYFIRMA - Attack Surface - Cloud Weakness Medium Rule",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "DNS",
            "fieldMappings": [
              {
                "columnName": "Domain",
                "identifier": "DomainName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASCloudWeaknessMediumRule.yaml",
        "query": "// Medium Severity - Attack Surface - Cloud Weakness - Unauthorized Public Cloud Storage Exposure Detected\nlet timeFrame = 5m;\nCyfirmaASCloudWeaknessAlerts_CL\n| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())\n| extend\n    Description=description,\n    FirstSeen=first_seen,\n    LastSeen=last_seen,\n    RiskScore=risk_score,\n    Domain=asset_name,\n    AlertUID=alert_uid,\n    UID=uid,\n    Source=source,\n    SourceType=source_type,\n    CreatedDate=created_date,\n    Impact=impact,\n    ProviderName='CYFIRMA',\n    ProductName='DeCYFIR/DeTCT'\n| project\n    TimeGenerated,\n    Description,\n    Domain,\n    RiskScore,\n    FirstSeen,\n    LastSeen,\n    AlertUID,\n    UID,\n    Source,\n    SourceType,\n    CreatedDate,\n    Impact,\n    ProviderName,\n    ProductName\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [
          "T1087.004"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "Discovery",
          "Exfiltration",
          "InitialAccess"
        ],
        "techniques": [
          "T1087"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}