detection.wiki

Detection rules › Kusto

CYFIRMA - Attack Surface - Domain/IP Vulnerability Exposure High Rule

This is a third-party alert feed, not a detection over modeled telemetry. The vendor product raised the finding; this rule forwards it into the SIEM. It is searchable for reference but is excluded from the detection-rule browse and the ATT&CK coverage matrix.

Status
available
Severity
high
Time window
5m
Group by
uid
Source
github.com/Azure/Azure-Sentinel

"This rule is triggered when CYFIRMA identifies publicly exposed vulnerabilities on domains or IP addresses within your organization's attack surface. These vulnerabilities may include outdated software, missing patches, insecure services, or misconfigurations that can be exploited by threat actors.Such exposure significantly increases the risk of exploitation, lateral movement, or data breach. Immediate investigation and remediation are recommended."

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1505 Server Software Component
Privilege EscalationT1068 Exploitation for Privilege Escalation
DiscoveryT1046 Network Service Discovery
ImpactT1499 Endpoint Denial of Service

Rule body kusto

id: fbe4f5e0-d93e-4c93-8cf9-925eb8ea7f2e
name: CYFIRMA - Attack Surface - Domain/IP Vulnerability Exposure High Rule
description: |
  "This rule is triggered when CYFIRMA identifies publicly exposed vulnerabilities on domains or IP addresses within your organization's attack surface. These vulnerabilities may include outdated software, missing patches, insecure services, or misconfigurations that can be exploited by threat actors.Such exposure significantly increases the risk of exploitation, lateral movement, or data breach. Immediate investigation and remediation are recommended."
version: 1.0.1
kind: Scheduled
severity: High
requiredDataConnectors:
  - connectorId: CyfirmaAttackSurfaceAlertsConnector
    dataTypes:
      - CyfirmaASDomainIPVulnerabilityAlerts_CL
queryFrequency: 5m
queryPeriod: 5m
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
  - InitialAccess
  - Discovery
  - DefenseEvasion
  - Persistence
  - Execution
  - Impact
  - PrivilegeEscalation
relevantTechniques:
  - T1505
  - T1068
  - T1046
  - T1499
query: |
  // High Severity Domain/IP Vulnerability Exposure Detected
  let timeFrame = 5m;
  CyfirmaASDomainIPVulnerabilityAlerts_CL
  | where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
  | mv-expand pvuln = possible_vulnerabilities
  | extend cve = tostring(pvuln.cveNo), vulProducts = pvuln.products
  | mv-expand vul_Products = vulProducts
  | summarize cveList = make_set(cve, 100), vul_products1 = make_set(vul_Products, 100)    by uid
  | join kind=inner (CyfirmaASDomainIPVulnerabilityAlerts_CL
      | where severity == 'Critical'
      | summarize arg_max(TimeGenerated, *) by uid)
      on uid
  | extend
      Vulnerabilities = strcat_array(cveList, ', '),
      VulnerabilityProducts = strcat_array(vul_products1, ', '),
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      Domain=sub_domain,
      TopDomain=top_domain,
      NetworkIP=ip,
      AlertUID=alert_uid,
      UID=uid,
      OpenPorts=open_ports,
      HostProvider=host_provider,
      Country=country,
      Softwares=softwares,
      WebServer=web_server,
      WebServerVersion=web_server_version,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT'
  | project
      TimeGenerated,
      Description,
      Domain,
      TopDomain,
      RiskScore,
      FirstSeen,
      LastSeen,
      NetworkIP,
      AlertUID,
      UID,
      Vulnerabilities,
      VulnerabilityProducts,
      OpenPorts,
      HostProvider,
      Country,
      Softwares,
      WebServer,
      WebServerVersion,
      ProviderName,
      ProductName
entityMappings:
  - entityType: DNS
    fieldMappings:
      - identifier: DomainName
        columnName: Domain
  - entityType: Host
    fieldMappings:
      - identifier: HostName
        columnName: TopDomain
      - identifier: DnsDomain
        columnName: Domain
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: NetworkIP
customDetails:
  TimeGenerated: TimeGenerated
  RiskScore: RiskScore
  FirstSeen: FirstSeen
  LastSeen: LastSeen
  Vulnerabilities: Vulnerabilities
  UID: UID
  OpenPorts: OpenPorts
  WebServer: WebServer
  WebServerVersion: WebServerVersion
  Softwares: Softwares
  HostProvider: HostProvider
  AlertUID: AlertUID
  Country: Country
  vulnerableProducts: VulnerabilityProducts
alertDetailsOverride:
  alertDisplayNameFormat: "CYFIRMA - High Severity Domain/IP Vulnerability Exposure Detected - Domain: {{Domain}}, IP: {{NetworkIP}}"
  alertDescriptionFormat: "CYFIRMA - High Severity Domain/IP Vulnerability Exposure Detected - {{Description}}"
  alertDynamicProperties:
    - alertProperty: ProductName
      value: ProductName
    - alertProperty: ProviderName
      value: ProviderName
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: AllEntities
eventGroupingSettings:
  aggregationKind: AlertPerResult

Stages and Predicates

Parameters

let timeFrame = 5m;

Stage 1: source

CyfirmaASDomainIPVulnerabilityAlerts_CL

Stage 2: where

| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())

Stage 3: mv-expand

| mv-expand pvuln = possible_vulnerabilities

Stage 4: extend

| extend cve = tostring(pvuln.cveNo), vulProducts = pvuln.products

Stage 5: mv-expand

| mv-expand vul_Products = vulProducts

Stage 6: summarize

| summarize cveList = make_set(cve, 100), vul_products1 = make_set(vul_Products, 100)    by uid

Stage 7: join

| join kind=inner (CyfirmaASDomainIPVulnerabilityAlerts_CL
    | where severity == 'Critical'
    | summarize arg_max(TimeGenerated, *) by uid)
    on uid

Stage 8: extend

| extend
    Vulnerabilities = strcat_array(cveList, ', '),
    VulnerabilityProducts = strcat_array(vul_products1, ', '),
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    Domain=sub_domain,
    TopDomain=top_domain,
    NetworkIP=ip,
    AlertUID=alert_uid,
    UID=uid,
    OpenPorts=open_ports,
    HostProvider=host_provider,
    Country=country,
    Softwares=softwares,
    WebServer=web_server,
    WebServerVersion=web_server_version,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT'

Stage 9: project

| project
    TimeGenerated,
    Description,
    Domain,
    TopDomain,
    RiskScore,
    FirstSeen,
    LastSeen,
    NetworkIP,
    AlertUID,
    UID,
    Vulnerabilities,
    VulnerabilityProducts,
    OpenPorts,
    HostProvider,
    Country,
    Softwares,
    WebServer,
    WebServerVersion,
    ProviderName,
    ProductName

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
severityeq
  • Critical transforms: cased

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

FieldSource
AlertUIDproject
Countryproject
Descriptionproject
Domainproject
FirstSeenproject
HostProviderproject
LastSeenproject
NetworkIPproject
OpenPortsproject
ProductNameproject
ProviderNameproject
RiskScoreproject
Softwaresproject
TimeGeneratedproject
TopDomainproject
UIDproject
Vulnerabilitiesproject
VulnerabilityProductsproject
WebServerproject
WebServerVersionproject