CYFIRMA - Attack Surface - Cloud Weakness Medium Rule

// Medium Severity - Attack Surface - Cloud Weakness - Unauthorized Public Cloud Storage Exposure Detected
let timeFrame = 5m;
CyfirmaASCloudWeaknessAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    Domain=asset_name,
    AlertUID=alert_uid,
    UID=uid,
    Source=source,
    SourceType=source_type,
    CreatedDate=created_date,
    Impact=impact,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT'
| project
    TimeGenerated,
    Description,
    Domain,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    Source,
    SourceType,
    CreatedDate,
    Impact,
    ProviderName,
    ProductName

queryFrequency: 5m
id: b8a3c5e2-04d5-4b61-9b62-b4f53a417f74
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASCloudWeaknessMediumRule.yaml
requiredDataConnectors:
- connectorId: CyfirmaAttackSurfaceAlertsConnector
  dataTypes:
  - CyfirmaASCloudWeaknessAlerts_CL
name: CYFIRMA - Attack Surface - Cloud Weakness Medium Rule
triggerOperator: gt
alertDetailsOverride:
  alertDisplayNameFormat: 'CYFIRMA - Medium Severity Alert - Unauthorized Public Cloud Storage Exposure Detected - Domain: {{Domain}}'
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
  alertDescriptionFormat: CYFIRMA - Medium Severity Alert - Unauthorized Public Cloud Storage Exposure Detected - {{Description}}
status: Available
tactics:
- InitialAccess
- Collection
- Discovery
- Exfiltration
kind: Scheduled
description: |
  "This rule detects cloud storage buckets (e.g., AWS S3) that are publicly accessible without authentication. 
  Such misconfigurations can lead to data exfiltration, compliance violations, and reputational damage. 
  The detection is based on Cyfirma's Attack Surface Intelligence."  
version: 1.0.1
customDetails:
  SourceType: SourceType
  AlertUID: AlertUID
  RiskScore: RiskScore
  Source: Source
  UID: UID
  CreatedDate: CreatedDate
  TimeGenerated: TimeGenerated
  Impact: Impact
  LastSeen: LastSeen
  FirstSeen: FirstSeen
entityMappings:
- entityType: DNS
  fieldMappings:
  - columnName: Domain
    identifier: DomainName
relevantTechniques:
- T1087
- T1087.004
queryPeriod: 5m
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: AllEntities
    enabled: false
  createIncident: true
severity: Medium
triggerThreshold: 0
query: |
  // Medium Severity - Attack Surface - Cloud Weakness - Unauthorized Public Cloud Storage Exposure Detected
  let timeFrame = 5m;
  CyfirmaASCloudWeaknessAlerts_CL
  | where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      Domain=asset_name,
      AlertUID=alert_uid,
      UID=uid,
      Source=source,
      SourceType=source_type,
      CreatedDate=created_date,
      Impact=impact,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT'
  | project
      TimeGenerated,
      Description,
      Domain,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      Source,
      SourceType,
      CreatedDate,
      Impact,
      ProviderName,
      ProductName  
eventGroupingSettings:
  aggregationKind: AlertPerResult