CYFIRMA - Attack Surface - DomainIP Vulnerability Exposure High Rule
| Id | fbe4f5e0-d93e-4c93-8cf9-925eb8ea7f2e |
| Rulename | CYFIRMA - Attack Surface - Domain/IP Vulnerability Exposure High Rule |
| Description | “This rule is triggered when CYFIRMA identifies publicly exposed vulnerabilities on domains or IP addresses within your organization’s attack surface. These vulnerabilities may include outdated software, missing patches, insecure services, or misconfigurations that can be exploited by threat actors.Such exposure significantly increases the risk of exploitation, lateral movement, or data breach. Immediate investigation and remediation are recommended.” |
| Severity | High |
| Tactics | InitialAccess Discovery DefenseEvasion Persistence Execution Impact PrivilegeEscalation |
| Techniques | T1505 T1068 T1046 T1499 |
| Required data connectors | CyfirmaAttackSurfaceAlertsConnector |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASDomainIPVulnerabilitiesHighRule.yaml |
| Version | 1.0.1 |
| Arm template | fbe4f5e0-d93e-4c93-8cf9-925eb8ea7f2e.json |
// High Severity Domain/IP Vulnerability Exposure Detected
let timeFrame = 5m;
CyfirmaASDomainIPVulnerabilityAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| mv-expand pvuln = possible_vulnerabilities
| extend cve = tostring(pvuln.cveNo), vulProducts = pvuln.products
| mv-expand vul_Products = vulProducts
| summarize cveList = make_set(cve, 100), vul_products1 = make_set(vul_Products, 100) by uid
| join kind=inner (CyfirmaASDomainIPVulnerabilityAlerts_CL
| where severity == 'Critical'
| summarize arg_max(TimeGenerated, *) by uid)
on uid
| extend
Vulnerabilities = strcat_array(cveList, ', '),
VulnerabilityProducts = strcat_array(vul_products1, ', '),
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
Domain=sub_domain,
TopDomain=top_domain,
NetworkIP=ip,
AlertUID=alert_uid,
UID=uid,
OpenPorts=open_ports,
HostProvider=host_provider,
Country=country,
Softwares=softwares,
WebServer=web_server,
WebServerVersion=web_server_version,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT'
| project
TimeGenerated,
Description,
Domain,
TopDomain,
RiskScore,
FirstSeen,
LastSeen,
NetworkIP,
AlertUID,
UID,
Vulnerabilities,
VulnerabilityProducts,
OpenPorts,
HostProvider,
Country,
Softwares,
WebServer,
WebServerVersion,
ProviderName,
ProductName
kind: Scheduled
customDetails:
AlertUID: AlertUID
RiskScore: RiskScore
LastSeen: LastSeen
TimeGenerated: TimeGenerated
Country: Country
FirstSeen: FirstSeen
Vulnerabilities: Vulnerabilities
vulnerableProducts: VulnerabilityProducts
Softwares: Softwares
HostProvider: HostProvider
WebServerVersion: WebServerVersion
WebServer: WebServer
OpenPorts: OpenPorts
UID: UID
alertDetailsOverride:
alertDisplayNameFormat: 'CYFIRMA - High Severity Domain/IP Vulnerability Exposure Detected - Domain: {{Domain}}, IP: {{NetworkIP}}'
alertDescriptionFormat: CYFIRMA - High Severity Domain/IP Vulnerability Exposure Detected - {{Description}}
alertDynamicProperties:
- value: ProductName
alertProperty: ProductName
- value: ProviderName
alertProperty: ProviderName
entityMappings:
- entityType: DNS
fieldMappings:
- columnName: Domain
identifier: DomainName
- entityType: Host
fieldMappings:
- columnName: TopDomain
identifier: HostName
- columnName: Domain
identifier: DnsDomain
- entityType: IP
fieldMappings:
- columnName: NetworkIP
identifier: Address
description: |
"This rule is triggered when CYFIRMA identifies publicly exposed vulnerabilities on domains or IP addresses within your organization's attack surface. These vulnerabilities may include outdated software, missing patches, insecure services, or misconfigurations that can be exploited by threat actors.Such exposure significantly increases the risk of exploitation, lateral movement, or data breach. Immediate investigation and remediation are recommended."
severity: High
queryFrequency: 5m
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
matchingMethod: AllEntities
lookbackDuration: PT5H
enabled: false
createIncident: true
triggerThreshold: 0
relevantTechniques:
- T1505
- T1068
- T1046
- T1499
eventGroupingSettings:
aggregationKind: AlertPerResult
status: Available
version: 1.0.1
name: CYFIRMA - Attack Surface - Domain/IP Vulnerability Exposure High Rule
id: fbe4f5e0-d93e-4c93-8cf9-925eb8ea7f2e
query: |
// High Severity Domain/IP Vulnerability Exposure Detected
let timeFrame = 5m;
CyfirmaASDomainIPVulnerabilityAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| mv-expand pvuln = possible_vulnerabilities
| extend cve = tostring(pvuln.cveNo), vulProducts = pvuln.products
| mv-expand vul_Products = vulProducts
| summarize cveList = make_set(cve, 100), vul_products1 = make_set(vul_Products, 100) by uid
| join kind=inner (CyfirmaASDomainIPVulnerabilityAlerts_CL
| where severity == 'Critical'
| summarize arg_max(TimeGenerated, *) by uid)
on uid
| extend
Vulnerabilities = strcat_array(cveList, ', '),
VulnerabilityProducts = strcat_array(vul_products1, ', '),
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
Domain=sub_domain,
TopDomain=top_domain,
NetworkIP=ip,
AlertUID=alert_uid,
UID=uid,
OpenPorts=open_ports,
HostProvider=host_provider,
Country=country,
Softwares=softwares,
WebServer=web_server,
WebServerVersion=web_server_version,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT'
| project
TimeGenerated,
Description,
Domain,
TopDomain,
RiskScore,
FirstSeen,
LastSeen,
NetworkIP,
AlertUID,
UID,
Vulnerabilities,
VulnerabilityProducts,
OpenPorts,
HostProvider,
Country,
Softwares,
WebServer,
WebServerVersion,
ProviderName,
ProductName
requiredDataConnectors:
- dataTypes:
- CyfirmaASDomainIPVulnerabilityAlerts_CL
connectorId: CyfirmaAttackSurfaceAlertsConnector
tactics:
- InitialAccess
- Discovery
- DefenseEvasion
- Persistence
- Execution
- Impact
- PrivilegeEscalation
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASDomainIPVulnerabilitiesHighRule.yaml
queryPeriod: 5m
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fbe4f5e0-d93e-4c93-8cf9-925eb8ea7f2e')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fbe4f5e0-d93e-4c93-8cf9-925eb8ea7f2e')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "CYFIRMA - High Severity Domain/IP Vulnerability Exposure Detected - {{Description}}",
"alertDisplayNameFormat": "CYFIRMA - High Severity Domain/IP Vulnerability Exposure Detected - Domain: {{Domain}}, IP: {{NetworkIP}}",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "fbe4f5e0-d93e-4c93-8cf9-925eb8ea7f2e",
"customDetails": {
"AlertUID": "AlertUID",
"Country": "Country",
"FirstSeen": "FirstSeen",
"HostProvider": "HostProvider",
"LastSeen": "LastSeen",
"OpenPorts": "OpenPorts",
"RiskScore": "RiskScore",
"Softwares": "Softwares",
"TimeGenerated": "TimeGenerated",
"UID": "UID",
"Vulnerabilities": "Vulnerabilities",
"vulnerableProducts": "VulnerabilityProducts",
"WebServer": "WebServer",
"WebServerVersion": "WebServerVersion"
},
"description": "\"This rule is triggered when CYFIRMA identifies publicly exposed vulnerabilities on domains or IP addresses within your organization's attack surface. These vulnerabilities may include outdated software, missing patches, insecure services, or misconfigurations that can be exploited by threat actors.Such exposure significantly increases the risk of exploitation, lateral movement, or data breach. Immediate investigation and remediation are recommended.\"\n",
"displayName": "CYFIRMA - Attack Surface - Domain/IP Vulnerability Exposure High Rule",
"enabled": true,
"entityMappings": [
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "Domain",
"identifier": "DomainName"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "TopDomain",
"identifier": "HostName"
},
{
"columnName": "Domain",
"identifier": "DnsDomain"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "NetworkIP",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASDomainIPVulnerabilitiesHighRule.yaml",
"query": "// High Severity Domain/IP Vulnerability Exposure Detected\nlet timeFrame = 5m;\nCyfirmaASDomainIPVulnerabilityAlerts_CL\n| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())\n| mv-expand pvuln = possible_vulnerabilities\n| extend cve = tostring(pvuln.cveNo), vulProducts = pvuln.products\n| mv-expand vul_Products = vulProducts\n| summarize cveList = make_set(cve, 100), vul_products1 = make_set(vul_Products, 100) by uid\n| join kind=inner (CyfirmaASDomainIPVulnerabilityAlerts_CL\n | where severity == 'Critical'\n | summarize arg_max(TimeGenerated, *) by uid)\n on uid\n| extend\n Vulnerabilities = strcat_array(cveList, ', '),\n VulnerabilityProducts = strcat_array(vul_products1, ', '),\n Description=description,\n FirstSeen=first_seen,\n LastSeen=last_seen,\n RiskScore=risk_score,\n Domain=sub_domain,\n TopDomain=top_domain,\n NetworkIP=ip,\n AlertUID=alert_uid,\n UID=uid,\n OpenPorts=open_ports,\n HostProvider=host_provider,\n Country=country,\n Softwares=softwares,\n WebServer=web_server,\n WebServerVersion=web_server_version,\n ProviderName='CYFIRMA',\n ProductName='DeCYFIR/DeTCT'\n| project\n TimeGenerated,\n Description,\n Domain,\n TopDomain,\n RiskScore,\n FirstSeen,\n LastSeen,\n NetworkIP,\n AlertUID,\n UID,\n Vulnerabilities,\n VulnerabilityProducts,\n OpenPorts,\n HostProvider,\n Country,\n Softwares,\n WebServer,\n WebServerVersion,\n ProviderName,\n ProductName\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion",
"Discovery",
"Execution",
"Impact",
"InitialAccess",
"Persistence",
"PrivilegeEscalation"
],
"techniques": [
"T1046",
"T1068",
"T1499",
"T1505"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}