Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. CYFIRMA - Attack Surface - DomainIP Vulnerability Exposure High Rule

CYFIRMA - Attack Surface - DomainIP Vulnerability Exposure High Rule

Back
Idfbe4f5e0-d93e-4c93-8cf9-925eb8ea7f2e
RulenameCYFIRMA - Attack Surface - Domain/IP Vulnerability Exposure High Rule
Description“This rule is triggered when CYFIRMA identifies publicly exposed vulnerabilities on domains or IP addresses within your organization’s attack surface. These vulnerabilities may include outdated software, missing patches, insecure services, or misconfigurations that can be exploited by threat actors.Such exposure significantly increases the risk of exploitation, lateral movement, or data breach. Immediate investigation and remediation are recommended.”
SeverityHigh
TacticsInitialAccess
Discovery
DefenseEvasion
Persistence
Execution
Impact
PrivilegeEscalation
TechniquesT1505
T1068
T1046
T1499
Required data connectorsCyfirmaAttackSurfaceAlertsConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASDomainIPVulnerabilitiesHighRule.yaml
Version1.0.1
Arm templatefbe4f5e0-d93e-4c93-8cf9-925eb8ea7f2e.json
Deploy To Azure
// High Severity Domain/IP Vulnerability Exposure Detected
let timeFrame = 5m;
CyfirmaASDomainIPVulnerabilityAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| mv-expand pvuln = possible_vulnerabilities
| extend cve = tostring(pvuln.cveNo), vulProducts = pvuln.products
| mv-expand vul_Products = vulProducts
| summarize cveList = make_set(cve, 100), vul_products1 = make_set(vul_Products, 100)    by uid
| join kind=inner (CyfirmaASDomainIPVulnerabilityAlerts_CL
    | where severity == 'Critical'
    | summarize arg_max(TimeGenerated, *) by uid)
    on uid
| extend
    Vulnerabilities = strcat_array(cveList, ', '),
    VulnerabilityProducts = strcat_array(vul_products1, ', '),
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    Domain=sub_domain,
    TopDomain=top_domain,
    NetworkIP=ip,
    AlertUID=alert_uid,
    UID=uid,
    OpenPorts=open_ports,
    HostProvider=host_provider,
    Country=country,
    Softwares=softwares,
    WebServer=web_server,
    WebServerVersion=web_server_version,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT'
| project
    TimeGenerated,
    Description,
    Domain,
    TopDomain,
    RiskScore,
    FirstSeen,
    LastSeen,
    NetworkIP,
    AlertUID,
    UID,
    Vulnerabilities,
    VulnerabilityProducts,
    OpenPorts,
    HostProvider,
    Country,
    Softwares,
    WebServer,
    WebServerVersion,
    ProviderName,
    ProductName

relevantTechniques:
- T1505
- T1068
- T1046
- T1499
entityMappings:
- entityType: DNS
  fieldMappings:
  - columnName: Domain
    identifier: DomainName
- entityType: Host
  fieldMappings:
  - columnName: TopDomain
    identifier: HostName
  - columnName: Domain
    identifier: DnsDomain
- entityType: IP
  fieldMappings:
  - columnName: NetworkIP
    identifier: Address
eventGroupingSettings:
  aggregationKind: AlertPerResult
version: 1.0.1
id: fbe4f5e0-d93e-4c93-8cf9-925eb8ea7f2e
severity: High
kind: Scheduled
queryFrequency: 5m
description: |
    "This rule is triggered when CYFIRMA identifies publicly exposed vulnerabilities on domains or IP addresses within your organization's attack surface. These vulnerabilities may include outdated software, missing patches, insecure services, or misconfigurations that can be exploited by threat actors.Such exposure significantly increases the risk of exploitation, lateral movement, or data breach. Immediate investigation and remediation are recommended."
requiredDataConnectors:
- connectorId: CyfirmaAttackSurfaceAlertsConnector
  dataTypes:
  - CyfirmaASDomainIPVulnerabilityAlerts_CL
triggerOperator: gt
name: CYFIRMA - Attack Surface - Domain/IP Vulnerability Exposure High Rule
tactics:
- InitialAccess
- Discovery
- DefenseEvasion
- Persistence
- Execution
- Impact
- PrivilegeEscalation
alertDetailsOverride:
  alertDescriptionFormat: CYFIRMA - High Severity Domain/IP Vulnerability Exposure Detected - {{Description}}
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
  alertDisplayNameFormat: 'CYFIRMA - High Severity Domain/IP Vulnerability Exposure Detected - Domain: {{Domain}}, IP: {{NetworkIP}}'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Attack Surface/Analytic Rules/ASDomainIPVulnerabilitiesHighRule.yaml
triggerThreshold: 0
queryPeriod: 5m
query: |
  // High Severity Domain/IP Vulnerability Exposure Detected
  let timeFrame = 5m;
  CyfirmaASDomainIPVulnerabilityAlerts_CL
  | where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
  | mv-expand pvuln = possible_vulnerabilities
  | extend cve = tostring(pvuln.cveNo), vulProducts = pvuln.products
  | mv-expand vul_Products = vulProducts
  | summarize cveList = make_set(cve, 100), vul_products1 = make_set(vul_Products, 100)    by uid
  | join kind=inner (CyfirmaASDomainIPVulnerabilityAlerts_CL
      | where severity == 'Critical'
      | summarize arg_max(TimeGenerated, *) by uid)
      on uid
  | extend
      Vulnerabilities = strcat_array(cveList, ', '),
      VulnerabilityProducts = strcat_array(vul_products1, ', '),
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      Domain=sub_domain,
      TopDomain=top_domain,
      NetworkIP=ip,
      AlertUID=alert_uid,
      UID=uid,
      OpenPorts=open_ports,
      HostProvider=host_provider,
      Country=country,
      Softwares=softwares,
      WebServer=web_server,
      WebServerVersion=web_server_version,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT'
  | project
      TimeGenerated,
      Description,
      Domain,
      TopDomain,
      RiskScore,
      FirstSeen,
      LastSeen,
      NetworkIP,
      AlertUID,
      UID,
      Vulnerabilities,
      VulnerabilityProducts,
      OpenPorts,
      HostProvider,
      Country,
      Softwares,
      WebServer,
      WebServerVersion,
      ProviderName,
      ProductName  
status: Available
customDetails:
  UID: UID
  WebServerVersion: WebServerVersion
  AlertUID: AlertUID
  RiskScore: RiskScore
  WebServer: WebServer
  FirstSeen: FirstSeen
  LastSeen: LastSeen
  TimeGenerated: TimeGenerated
  OpenPorts: OpenPorts
  HostProvider: HostProvider
  Softwares: Softwares
  vulnerableProducts: VulnerabilityProducts
  Vulnerabilities: Vulnerabilities
  Country: Country
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: PT5H
    enabled: false
    reopenClosedIncident: false
    matchingMethod: AllEntities