Detection rules › Kusto
CYFIRMA - Attack Surface - Weak Certificate Exposure - Medium Rule
This is a third-party alert feed, not a detection over modeled telemetry. The vendor product raised the finding; this rule forwards it into the SIEM. It is searchable for reference but is excluded from the detection-rule browse and the ATT&CK coverage matrix.
'This alert indicates that a weak or insecure SSL/TLS certificate has been detected on a public-facing asset monitored by Cyfirma. Such certificates do not meet modern encryption standards and are considered insecure, especially for handling sensitive transactions. This exposure increases the risk of man-in-the-middle attacks and loss of data integrity or confidentiality. Immediate remediation is advised by replacing weak certificates with strong, industry-compliant ones.'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Reconnaissance | T1595 Active Scanning |
| Resource Development | T1588 Obtain Capabilities |
| Initial Access | T1190 Exploit Public-Facing Application |
| Defense Impairment | T1553 Subvert Trust Controls |
| Credential Access | T1552 Unsecured Credentials |
Rule body kusto
id: 5a617ff2-3e3d-44e7-b761-9f0d542ae191
name: CYFIRMA - Attack Surface - Weak Certificate Exposure - Medium Rule
description: |
'This alert indicates that a weak or insecure SSL/TLS certificate has been detected on a public-facing asset monitored by Cyfirma.
Such certificates do not meet modern encryption standards and are considered insecure, especially for handling sensitive transactions.
This exposure increases the risk of man-in-the-middle attacks and loss of data integrity or confidentiality.
Immediate remediation is advised by replacing weak certificates with strong, industry-compliant ones.'
version: 1.0.1
kind: Scheduled
severity: Medium
requiredDataConnectors:
- connectorId: CyfirmaAttackSurfaceAlertsConnector
dataTypes:
- CyfirmaASCertificatesAlerts_CL
queryFrequency: 5m
queryPeriod: 5m
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
- DefenseEvasion
- ResourceDevelopment
- Reconnaissance
- InitialAccess
- CredentialAccess
relevantTechniques:
- T1553
- T1588
- T1595
- T1190
- T1552
query: |
// Medium Severity Weak Certificate Exposure Detected
let timeFrame = 5m;
CyfirmaASCertificatesAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
ValidFrom=valid_from,
ValidTo=valid_to,
RiskScore=risk_score,
Domain=sub_domain,
TopDomain=top_domain,
Protocols=protocols,
SelfSigned=self_signed,
AlertUID=alert_uid,
UID=uid,
CertificateData= cert_data,
CertificateHash=cert_hash,
IssuedBy=issued_by,
IssuedTo=issued_to,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT'
| project
TimeGenerated,
Description,
Domain,
TopDomain,
RiskScore,
FirstSeen,
LastSeen,
ValidFrom,
ValidTo,
Protocols,
SelfSigned,
CertificateData,
CertificateHash,
IssuedBy,
IssuedTo,
ProviderName,
ProductName
entityMappings:
- entityType: DNS
fieldMappings:
- identifier: DomainName
columnName: HostName
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: TopDomain
- identifier: DnsDomain
columnName: Domain
customDetails:
TimeGenerated: TimeGenerated
CertificateData: CertificateData
CertificateHash: CertificateHash
FirstSeen: FirstSeen
LastSeen: LastSeen
ValidFrom: ValidFrom
ValidTo: ValidTo
Protocols: Protocols
SelfSigned: SelfSigned
IssuedBy: IssuedBy
IssuedTo: IssuedTo
Description: Description
RiskScore: RiskScore
TopDomain: TopDomain
Domain: Domain
alertDetailsOverride:
alertDisplayNameFormat: CYFIRMA - Medium Severity Weak Certificate Exposure Detected for this Domain - {{Domain}}
alertDescriptionFormat: CYFIRMA - Medium Severity Weak Certificate Exposure Detected - {{Description}}
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: ProviderName
value: ProviderName
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: false
reopenClosedIncident: false
lookbackDuration: PT5H
matchingMethod: AllEntities
eventGroupingSettings:
aggregationKind: AlertPerResult
Stages and Predicates
Parameters
let timeFrame = 5m;
Stage 1: source
CyfirmaASCertificatesAlerts_CL
Stage 2: where
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
Stage 3: extend
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
ValidFrom=valid_from,
ValidTo=valid_to,
RiskScore=risk_score,
Domain=sub_domain,
TopDomain=top_domain,
Protocols=protocols,
SelfSigned=self_signed,
AlertUID=alert_uid,
UID=uid,
CertificateData= cert_data,
CertificateHash=cert_hash,
IssuedBy=issued_by,
IssuedTo=issued_to,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT'
Stage 4: project
| project
TimeGenerated,
Description,
Domain,
TopDomain,
RiskScore,
FirstSeen,
LastSeen,
ValidFrom,
ValidTo,
Protocols,
SelfSigned,
CertificateData,
CertificateHash,
IssuedBy,
IssuedTo,
ProviderName,
ProductName
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
severity | eq |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
CertificateData | project |
CertificateHash | project |
Description | project |
Domain | project |
FirstSeen | project |
IssuedBy | project |
IssuedTo | project |
LastSeen | project |
ProductName | project |
Protocols | project |
ProviderName | project |
RiskScore | project |
SelfSigned | project |
TimeGenerated | project |
TopDomain | project |
ValidFrom | project |
ValidTo | project |