CYFIRMA - Attack Surface - DomainIP Vulnerability Exposure High Rule
| Id | fbe4f5e0-d93e-4c93-8cf9-925eb8ea7f2e |
| Rulename | CYFIRMA - Attack Surface - Domain/IP Vulnerability Exposure High Rule |
| Description | “This rule is triggered when CYFIRMA identifies publicly exposed vulnerabilities on domains or IP addresses within your organization’s attack surface. These vulnerabilities may include outdated software, missing patches, insecure services, or misconfigurations that can be exploited by threat actors.Such exposure significantly increases the risk of exploitation, lateral movement, or data breach. Immediate investigation and remediation are recommended.” |
| Severity | High |
| Tactics | InitialAccess Discovery DefenseEvasion Persistence Execution Impact PrivilegeEscalation |
| Techniques | T1505 T1068 T1046 T1499 |
| Required data connectors | CyfirmaAttackSurfaceAlertsConnector |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASDomainIPVulnerabilitiesHighRule.yaml |
| Version | 1.0.1 |
| Arm template | fbe4f5e0-d93e-4c93-8cf9-925eb8ea7f2e.json |
// High Severity Domain/IP Vulnerability Exposure Detected
let timeFrame = 5m;
CyfirmaASDomainIPVulnerabilityAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| mv-expand pvuln = possible_vulnerabilities
| extend cve = tostring(pvuln.cveNo), vulProducts = pvuln.products
| mv-expand vul_Products = vulProducts
| summarize cveList = make_set(cve, 100), vul_products1 = make_set(vul_Products, 100) by uid
| join kind=inner (CyfirmaASDomainIPVulnerabilityAlerts_CL
| where severity == 'Critical'
| summarize arg_max(TimeGenerated, *) by uid)
on uid
| extend
Vulnerabilities = strcat_array(cveList, ', '),
VulnerabilityProducts = strcat_array(vul_products1, ', '),
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
Domain=sub_domain,
TopDomain=top_domain,
NetworkIP=ip,
AlertUID=alert_uid,
UID=uid,
OpenPorts=open_ports,
HostProvider=host_provider,
Country=country,
Softwares=softwares,
WebServer=web_server,
WebServerVersion=web_server_version,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT'
| project
TimeGenerated,
Description,
Domain,
TopDomain,
RiskScore,
FirstSeen,
LastSeen,
NetworkIP,
AlertUID,
UID,
Vulnerabilities,
VulnerabilityProducts,
OpenPorts,
HostProvider,
Country,
Softwares,
WebServer,
WebServerVersion,
ProviderName,
ProductName
name: CYFIRMA - Attack Surface - Domain/IP Vulnerability Exposure High Rule
eventGroupingSettings:
aggregationKind: AlertPerResult
alertDetailsOverride:
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: ProviderName
value: ProviderName
alertDisplayNameFormat: 'CYFIRMA - High Severity Domain/IP Vulnerability Exposure Detected - Domain: {{Domain}}, IP: {{NetworkIP}}'
alertDescriptionFormat: CYFIRMA - High Severity Domain/IP Vulnerability Exposure Detected - {{Description}}
id: fbe4f5e0-d93e-4c93-8cf9-925eb8ea7f2e
requiredDataConnectors:
- connectorId: CyfirmaAttackSurfaceAlertsConnector
dataTypes:
- CyfirmaASDomainIPVulnerabilityAlerts_CL
severity: High
triggerThreshold: 0
version: 1.0.1
description: |
"This rule is triggered when CYFIRMA identifies publicly exposed vulnerabilities on domains or IP addresses within your organization's attack surface. These vulnerabilities may include outdated software, missing patches, insecure services, or misconfigurations that can be exploited by threat actors.Such exposure significantly increases the risk of exploitation, lateral movement, or data breach. Immediate investigation and remediation are recommended."
relevantTechniques:
- T1505
- T1068
- T1046
- T1499
kind: Scheduled
queryPeriod: 5m
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: false
reopenClosedIncident: false
matchingMethod: AllEntities
lookbackDuration: PT5H
tactics:
- InitialAccess
- Discovery
- DefenseEvasion
- Persistence
- Execution
- Impact
- PrivilegeEscalation
customDetails:
AlertUID: AlertUID
LastSeen: LastSeen
Softwares: Softwares
UID: UID
Country: Country
FirstSeen: FirstSeen
OpenPorts: OpenPorts
WebServerVersion: WebServerVersion
RiskScore: RiskScore
Vulnerabilities: Vulnerabilities
vulnerableProducts: VulnerabilityProducts
WebServer: WebServer
TimeGenerated: TimeGenerated
HostProvider: HostProvider
queryFrequency: 5m
entityMappings:
- fieldMappings:
- identifier: DomainName
columnName: Domain
entityType: DNS
- fieldMappings:
- identifier: HostName
columnName: TopDomain
- identifier: DnsDomain
columnName: Domain
entityType: Host
- fieldMappings:
- identifier: Address
columnName: NetworkIP
entityType: IP
status: Available
triggerOperator: gt
query: |
// High Severity Domain/IP Vulnerability Exposure Detected
let timeFrame = 5m;
CyfirmaASDomainIPVulnerabilityAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| mv-expand pvuln = possible_vulnerabilities
| extend cve = tostring(pvuln.cveNo), vulProducts = pvuln.products
| mv-expand vul_Products = vulProducts
| summarize cveList = make_set(cve, 100), vul_products1 = make_set(vul_Products, 100) by uid
| join kind=inner (CyfirmaASDomainIPVulnerabilityAlerts_CL
| where severity == 'Critical'
| summarize arg_max(TimeGenerated, *) by uid)
on uid
| extend
Vulnerabilities = strcat_array(cveList, ', '),
VulnerabilityProducts = strcat_array(vul_products1, ', '),
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
Domain=sub_domain,
TopDomain=top_domain,
NetworkIP=ip,
AlertUID=alert_uid,
UID=uid,
OpenPorts=open_ports,
HostProvider=host_provider,
Country=country,
Softwares=softwares,
WebServer=web_server,
WebServerVersion=web_server_version,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT'
| project
TimeGenerated,
Description,
Domain,
TopDomain,
RiskScore,
FirstSeen,
LastSeen,
NetworkIP,
AlertUID,
UID,
Vulnerabilities,
VulnerabilityProducts,
OpenPorts,
HostProvider,
Country,
Softwares,
WebServer,
WebServerVersion,
ProviderName,
ProductName
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASDomainIPVulnerabilitiesHighRule.yaml
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fbe4f5e0-d93e-4c93-8cf9-925eb8ea7f2e')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fbe4f5e0-d93e-4c93-8cf9-925eb8ea7f2e')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "CYFIRMA - High Severity Domain/IP Vulnerability Exposure Detected - {{Description}}",
"alertDisplayNameFormat": "CYFIRMA - High Severity Domain/IP Vulnerability Exposure Detected - Domain: {{Domain}}, IP: {{NetworkIP}}",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "fbe4f5e0-d93e-4c93-8cf9-925eb8ea7f2e",
"customDetails": {
"AlertUID": "AlertUID",
"Country": "Country",
"FirstSeen": "FirstSeen",
"HostProvider": "HostProvider",
"LastSeen": "LastSeen",
"OpenPorts": "OpenPorts",
"RiskScore": "RiskScore",
"Softwares": "Softwares",
"TimeGenerated": "TimeGenerated",
"UID": "UID",
"Vulnerabilities": "Vulnerabilities",
"vulnerableProducts": "VulnerabilityProducts",
"WebServer": "WebServer",
"WebServerVersion": "WebServerVersion"
},
"description": "\"This rule is triggered when CYFIRMA identifies publicly exposed vulnerabilities on domains or IP addresses within your organization's attack surface. These vulnerabilities may include outdated software, missing patches, insecure services, or misconfigurations that can be exploited by threat actors.Such exposure significantly increases the risk of exploitation, lateral movement, or data breach. Immediate investigation and remediation are recommended.\"\n",
"displayName": "CYFIRMA - Attack Surface - Domain/IP Vulnerability Exposure High Rule",
"enabled": true,
"entityMappings": [
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "Domain",
"identifier": "DomainName"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "TopDomain",
"identifier": "HostName"
},
{
"columnName": "Domain",
"identifier": "DnsDomain"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "NetworkIP",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASDomainIPVulnerabilitiesHighRule.yaml",
"query": "// High Severity Domain/IP Vulnerability Exposure Detected\nlet timeFrame = 5m;\nCyfirmaASDomainIPVulnerabilityAlerts_CL\n| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())\n| mv-expand pvuln = possible_vulnerabilities\n| extend cve = tostring(pvuln.cveNo), vulProducts = pvuln.products\n| mv-expand vul_Products = vulProducts\n| summarize cveList = make_set(cve, 100), vul_products1 = make_set(vul_Products, 100) by uid\n| join kind=inner (CyfirmaASDomainIPVulnerabilityAlerts_CL\n | where severity == 'Critical'\n | summarize arg_max(TimeGenerated, *) by uid)\n on uid\n| extend\n Vulnerabilities = strcat_array(cveList, ', '),\n VulnerabilityProducts = strcat_array(vul_products1, ', '),\n Description=description,\n FirstSeen=first_seen,\n LastSeen=last_seen,\n RiskScore=risk_score,\n Domain=sub_domain,\n TopDomain=top_domain,\n NetworkIP=ip,\n AlertUID=alert_uid,\n UID=uid,\n OpenPorts=open_ports,\n HostProvider=host_provider,\n Country=country,\n Softwares=softwares,\n WebServer=web_server,\n WebServerVersion=web_server_version,\n ProviderName='CYFIRMA',\n ProductName='DeCYFIR/DeTCT'\n| project\n TimeGenerated,\n Description,\n Domain,\n TopDomain,\n RiskScore,\n FirstSeen,\n LastSeen,\n NetworkIP,\n AlertUID,\n UID,\n Vulnerabilities,\n VulnerabilityProducts,\n OpenPorts,\n HostProvider,\n Country,\n Softwares,\n WebServer,\n WebServerVersion,\n ProviderName,\n ProductName\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion",
"Discovery",
"Execution",
"Impact",
"InitialAccess",
"Persistence",
"PrivilegeEscalation"
],
"techniques": [
"T1046",
"T1068",
"T1499",
"T1505"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}