Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CYFIRMA - Attack Surface - Configuration Medium Rule

Back
Ide1f88d08-5c32-4d35-a8ce-2f21cdb4b6de
RulenameCYFIRMA - Attack Surface - Configuration Medium Rule
DescriptionThis alert is generated when CYFIRMA detects a critical misconfiguration in a public-facing asset or service.

Such misconfigurations may include exposed admin interfaces, default credentials, open directory listings, or insecure protocols, which significantly increase the attack surface."
SeverityMedium
TacticsInitialAccess
Discovery
persistence
Execution
DefenseEvasion
CredentialAccess
Collection
Reconnaissance
TechniquesT1190
T1087
T1046
T1136
T1059
T1566
T1070
T1027
T1505
T1555
T1114
T1595
Required data connectorsCyfirmaAttackSurfaceAlertsConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASConfigurationsMediumRule.yaml
Version1.0.0
Arm templatee1f88d08-5c32-4d35-a8ce-2f21cdb4b6de.json
Deploy To Azure
// Medium Severity - Attack Surface - Misconfiguration Detected
let timeFrame = 5m;
CyfirmaASConfigurationAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    Domain=sub_domain,
    TopDomain=top_domain,
    NetworkIP=ip,
    AlertUID=alert_uid,
    UID=uid,
    Softwares=software,
    WebAppFirewall=web_app_firewall,
    ClickJackingDefence=click_jacking_defence,
    ContentSecurityPolicy=content_security_policy,
    CookieXssProtection=cookie_xss_protection,
    DataInjectionDefence=data_injection_defence,
    DomainStatus=domain_status,
    MissingEPPCodes=missing_epp_codes,
    SecureCookie=secure_cookie,
    SetCookieHttpsOnly=set_cookie_https_only,
    XFrameOptions=x_frame_options,
    X_XssProtection=x_xss_protection,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT'
| project
    TimeGenerated,
    Description,
    Domain,
    TopDomain,
    RiskScore,
    FirstSeen,
    LastSeen,
    NetworkIP,
    AlertUID,
    UID,
    Softwares,
    WebAppFirewall,
    ClickJackingDefence,
    ContentSecurityPolicy,
    CookieXssProtection,
    DataInjectionDefence,
    DomainStatus,
    MissingEPPCodes,
    SecureCookie,
    SetCookieHttpsOnly,
    XFrameOptions,
    X_XssProtection,
    ProviderName,
    ProductName
status: Available
relevantTechniques:
- T1190
- T1087
- T1046
- T1136
- T1059
- T1566
- T1070
- T1027
- T1505
- T1555
- T1114
- T1595
description: |
  This alert is generated when CYFIRMA detects a critical misconfiguration in a public-facing asset or service. 
  Such misconfigurations may include exposed admin interfaces, default credentials, open directory listings, or insecure protocols, which significantly increase the attack surface."  
queryPeriod: 5m
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASConfigurationsMediumRule.yaml
alertDetailsOverride:
  alertDisplayNameFormat: 'CYFIRMA - Medium Risk Misconfiguration Identified in Assets - Domain: {{Domain}} , IP: {{NetworkIP}}'
  alertDescriptionFormat: CYFIRMA - Medium Risk Misconfiguration Identified in Assets - {{Description}}
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
query: |
  // Medium Severity - Attack Surface - Misconfiguration Detected
  let timeFrame = 5m;
  CyfirmaASConfigurationAlerts_CL
  | where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      Domain=sub_domain,
      TopDomain=top_domain,
      NetworkIP=ip,
      AlertUID=alert_uid,
      UID=uid,
      Softwares=software,
      WebAppFirewall=web_app_firewall,
      ClickJackingDefence=click_jacking_defence,
      ContentSecurityPolicy=content_security_policy,
      CookieXssProtection=cookie_xss_protection,
      DataInjectionDefence=data_injection_defence,
      DomainStatus=domain_status,
      MissingEPPCodes=missing_epp_codes,
      SecureCookie=secure_cookie,
      SetCookieHttpsOnly=set_cookie_https_only,
      XFrameOptions=x_frame_options,
      X_XssProtection=x_xss_protection,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT'
  | project
      TimeGenerated,
      Description,
      Domain,
      TopDomain,
      RiskScore,
      FirstSeen,
      LastSeen,
      NetworkIP,
      AlertUID,
      UID,
      Softwares,
      WebAppFirewall,
      ClickJackingDefence,
      ContentSecurityPolicy,
      CookieXssProtection,
      DataInjectionDefence,
      DomainStatus,
      MissingEPPCodes,
      SecureCookie,
      SetCookieHttpsOnly,
      XFrameOptions,
      X_XssProtection,
      ProviderName,
      ProductName  
version: 1.0.0
id: e1f88d08-5c32-4d35-a8ce-2f21cdb4b6de
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    lookbackDuration: 5h
    matchingMethod: AllEntities
    reopenClosedIncident: false
tactics:
- InitialAccess
- Discovery
- persistence
- Execution
- DefenseEvasion
- CredentialAccess
- Collection
- Reconnaissance
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings:
- fieldMappings:
  - identifier: DomainName
    columnName: Domain
  entityType: DNS
- fieldMappings:
  - identifier: HostName
    columnName: TopDomain
  - identifier: DnsDomain
    columnName: Domain
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: NetworkIP
  entityType: IP
requiredDataConnectors:
- dataTypes:
  - CyfirmaASConfigurationAlerts_CL
  connectorId: CyfirmaAttackSurfaceAlertsConnector
name: CYFIRMA - Attack Surface - Configuration Medium Rule
severity: Medium
customDetails:
  LastSeen: LastSeen
  CookieXssProtection: CookieXssProtection
  SetCookieHttpsOnly: SetCookieHttpsOnly
  UID: UID
  AlertUID: AlertUID
  TimeGenerated: TimeGenerated
  SecureCookie: SecureCookie
  XFrameOptions: XFrameOptions
  RiskScore: RiskScore
  FirstSeen: FirstSeen
  SecurityPolicy: ContentSecurityPolicy
  ClickJackingDefence: ClickJackingDefence
  MissingEPPCodes: MissingEPPCodes
  InjectionDefence: DataInjectionDefence
  WebAppFirewall: WebAppFirewall
  Softwares: Softwares
  DomainStatus: DomainStatus
  X_XssProtection: X_XssProtection
triggerOperator: gt
triggerThreshold: 0
queryFrequency: 5m
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e1f88d08-5c32-4d35-a8ce-2f21cdb4b6de')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e1f88d08-5c32-4d35-a8ce-2f21cdb4b6de')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "CYFIRMA - Medium Risk Misconfiguration Identified in Assets - {{Description}}",
          "alertDisplayNameFormat": "CYFIRMA - Medium Risk Misconfiguration Identified in Assets - Domain: {{Domain}} , IP: {{NetworkIP}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            },
            {
              "alertProperty": "ProviderName",
              "value": "ProviderName"
            }
          ]
        },
        "alertRuleTemplateName": "e1f88d08-5c32-4d35-a8ce-2f21cdb4b6de",
        "customDetails": {
          "AlertUID": "AlertUID",
          "ClickJackingDefence": "ClickJackingDefence",
          "CookieXssProtection": "CookieXssProtection",
          "DomainStatus": "DomainStatus",
          "FirstSeen": "FirstSeen",
          "InjectionDefence": "DataInjectionDefence",
          "LastSeen": "LastSeen",
          "MissingEPPCodes": "MissingEPPCodes",
          "RiskScore": "RiskScore",
          "SecureCookie": "SecureCookie",
          "SecurityPolicy": "ContentSecurityPolicy",
          "SetCookieHttpsOnly": "SetCookieHttpsOnly",
          "Softwares": "Softwares",
          "TimeGenerated": "TimeGenerated",
          "UID": "UID",
          "WebAppFirewall": "WebAppFirewall",
          "X_XssProtection": "X_XssProtection",
          "XFrameOptions": "XFrameOptions"
        },
        "description": "This alert is generated when CYFIRMA detects a critical misconfiguration in a public-facing asset or service. \nSuch misconfigurations may include exposed admin interfaces, default credentials, open directory listings, or insecure protocols, which significantly increase the attack surface.\"\n",
        "displayName": "CYFIRMA - Attack Surface - Configuration Medium Rule",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "DNS",
            "fieldMappings": [
              {
                "columnName": "Domain",
                "identifier": "DomainName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "TopDomain",
                "identifier": "HostName"
              },
              {
                "columnName": "Domain",
                "identifier": "DnsDomain"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "NetworkIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASConfigurationsMediumRule.yaml",
        "query": "// Medium Severity - Attack Surface - Misconfiguration Detected\nlet timeFrame = 5m;\nCyfirmaASConfigurationAlerts_CL\n| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())\n| extend\n    Description=description,\n    FirstSeen=first_seen,\n    LastSeen=last_seen,\n    RiskScore=risk_score,\n    Domain=sub_domain,\n    TopDomain=top_domain,\n    NetworkIP=ip,\n    AlertUID=alert_uid,\n    UID=uid,\n    Softwares=software,\n    WebAppFirewall=web_app_firewall,\n    ClickJackingDefence=click_jacking_defence,\n    ContentSecurityPolicy=content_security_policy,\n    CookieXssProtection=cookie_xss_protection,\n    DataInjectionDefence=data_injection_defence,\n    DomainStatus=domain_status,\n    MissingEPPCodes=missing_epp_codes,\n    SecureCookie=secure_cookie,\n    SetCookieHttpsOnly=set_cookie_https_only,\n    XFrameOptions=x_frame_options,\n    X_XssProtection=x_xss_protection,\n    ProviderName='CYFIRMA',\n    ProductName='DeCYFIR/DeTCT'\n| project\n    TimeGenerated,\n    Description,\n    Domain,\n    TopDomain,\n    RiskScore,\n    FirstSeen,\n    LastSeen,\n    NetworkIP,\n    AlertUID,\n    UID,\n    Softwares,\n    WebAppFirewall,\n    ClickJackingDefence,\n    ContentSecurityPolicy,\n    CookieXssProtection,\n    DataInjectionDefence,\n    DomainStatus,\n    MissingEPPCodes,\n    SecureCookie,\n    SetCookieHttpsOnly,\n    XFrameOptions,\n    X_XssProtection,\n    ProviderName,\n    ProductName\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "CredentialAccess",
          "DefenseEvasion",
          "Discovery",
          "Execution",
          "InitialAccess",
          "persistence",
          "Reconnaissance"
        ],
        "techniques": [
          "T1027",
          "T1046",
          "T1059",
          "T1070",
          "T1087",
          "T1114",
          "T1136",
          "T1190",
          "T1505",
          "T1555",
          "T1566",
          "T1595"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}