Detection rules › Kusto
CYFIRMA - Medium Severity Attack Surface based Vulnerabilities Rule
This is a third-party alert feed, not a detection over modeled telemetry. The vendor product raised the finding; this rule forwards it into the SIEM. It is searchable for reference but is excluded from the detection-rule browse and the ATT&CK coverage matrix.
"This rule detects medium severity attack surface-based vulnerabilities from CYFIRMA's vulnerability intelligence data. It identifies vulnerabilities with a confidence score of 50 or higher, excluding those categorized as 'ASSET_VULNERABILITY', and generates alerts for assets that may be at risk."
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1133 External Remote Services, T1190 Exploit Public-Facing Application |
| Execution | T1059 Command and Scripting Interpreter, T1203 Exploitation for Client Execution |
| Privilege Escalation | T1068 Exploitation for Privilege Escalation, T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control |
| Defense Impairment | T1553 Subvert Trust Controls |
| Credential Access | T1003 OS Credential Dumping |
| Lateral Movement | T1021.002 Remote Services: SMB/Windows Admin Shares, T1210 Exploitation of Remote Services |
Rule body kusto
id: 4c1b282b-62f1-4783-bf40-94c44f0ae630
name: CYFIRMA - Medium Severity Attack Surface based Vulnerabilities Rule
description: |
"This rule detects medium severity attack surface-based vulnerabilities from CYFIRMA's vulnerability intelligence data. It identifies vulnerabilities with a confidence score of 50 or higher, excluding those categorized as 'ASSET_VULNERABILITY', and generates alerts for assets that may be at risk."
version: 1.0.1
kind: Scheduled
severity: Medium
enabled: false
requiredDataConnectors:
- connectorId: CyfirmaVulnerabilitiesIntelDC
dataTypes:
- CyfirmaVulnerabilities_CL
query: |
// Medium severity - Attack Surface based Vulnerabilities
let timeFrame= 5m;
CyfirmaVulnerabilities_CL
| extend parsed = parse_json(extensions)
| extend extensionKeys = bag_keys(parsed)
| mv-expand extensionKeys
| extend extensionKeyStr = tostring(extensionKeys)
| extend ext = parsed[extensionKeyStr]
| extend props = ext.properties
| extend
attack_complexity = tostring(props.attack_complexity),
cvss_score = toreal(props.cvss_score),
integrity_impact = tostring(props.integrity_impact),
impact_score = tostring(props.impact_score),
attack_vector = tostring(props.attack_vector),
privileges_required = tostring(props.privileges_required),
cvss_version = tostring(props.cvss_version),
user_interaction = tostring(props.user_interaction),
cvss_vector = tostring(props.cvss_vector),
scope = tostring(props.scope),
confidentiality_impact = tostring(props.confidentiality_impact),
exploitability_score = toreal(props.exploitability_score),
products = tostring(props.products),
technologies = tostring(props.technologies),
vendors = tostring(props.vendors),
confidence_score = toint(confidence),
servers = tostring(props.servers),
vulnerability_type = tostring(props.vulnerability_type),
vulnerability_category = tostring(props.vulnerability_category),
NetworkIPs = tostring(props.ips),
ProviderName ='CYFIRMA',
ProductName ='DeCYFIR/DeTCT'
| summarize arg_max(
integrity_impact,
TimeGenerated,
id,
description,
confidence_score,
created,
modified,
attack_complexity,
cvss_score,
impact_score,
attack_vector,
privileges_required,
cvss_version,
user_interaction,
cvss_vector,
scope,
confidentiality_impact,
exploitability_score,
products,
technologies,
vendors,
ProviderName,
ProductName,
servers,
NetworkIPs,
vulnerability_type,
vulnerability_category
)
by name
| where confidence_score >= 60 and vulnerability_category == 'ATTACK_SURFACE_VULNERABILITY' and TimeGenerated between (ago(timeFrame) .. now())
| project
TimeGenerated,
name,
confidence_score,
integrity_impact,
attack_complexity,
cvss_score,
impact_score,
attack_vector,
UID = id,
description,
created,
modified,
privileges_required,
cvss_version,
user_interaction,
cvss_vector,
scope,
confidentiality_impact,
exploitability_score,
products,
technologies,
vendors,
ProviderName,
ProductName,
servers,
NetworkIPs,
vulnerability_type,
vulnerability_category
queryFrequency: 5m
queryPeriod: 5m
triggerOperator: GreaterThan
triggerThreshold: 0
suppressionDuration: 5m
suppressionEnabled: false
tactics:
- Execution
- LateralMovement
- PrivilegeEscalation
- InitialAccess
- CredentialAccess
- DefenseEvasion
relevantTechniques:
- T1059
- T1203
- T1210
- T1068
- T1190
- T1133
- T1003
- T1553
- T1548.002
- T1021.002
alertDetailsOverride:
alertDisplayNameFormat: "CYFIRMA - Medium Severity Attack Surface based Vulnerability Identified - {{name}} "
alertDescriptionFormat: "{{description}} "
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: ProviderName
value: ProviderName
customDetails:
TimeGenerated: TimeGenerated
CVE: name
ConfidenceScore: confidence_score
IntegrityImpact: integrity_impact
AttackComplexity: attack_complexity
CVSSScore: cvss_score
ImpactScore: impact_score
AttackVector: attack_vector
ConfidentialImpact: confidentiality_impact
PrivilegesRequired: privileges_required
CVSSVersion: cvss_version
UserInteraction: user_interaction
CVSSVector: scope
scope: exploitability_score
ExploitabilityScore: modified
Modified: products
Products: technologies
Vendors: vendors
Technologies: technologies
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: false
reopenClosedIncident: false
lookbackDuration: PT5H
matchingMethod: AllEntities
eventGroupingSettings:
aggregationKind: AlertPerResult
Stages and Predicates
Parameters
let timeFrame = 5m;
Stage 1: source
CyfirmaVulnerabilities_CL
Stage 2: extend
| extend parsed = parse_json(extensions)
Stage 3: extend
| extend extensionKeys = bag_keys(parsed)
Stage 4: mv-expand
| mv-expand extensionKeys
Stage 5: extend (4 consecutive steps)
| extend extensionKeyStr = tostring(extensionKeys)
| extend ext = parsed[extensionKeyStr]
| extend props = ext.properties
| extend
attack_complexity = tostring(props.attack_complexity),
cvss_score = toreal(props.cvss_score),
integrity_impact = tostring(props.integrity_impact),
impact_score = tostring(props.impact_score),
attack_vector = tostring(props.attack_vector),
privileges_required = tostring(props.privileges_required),
cvss_version = tostring(props.cvss_version),
user_interaction = tostring(props.user_interaction),
cvss_vector = tostring(props.cvss_vector),
scope = tostring(props.scope),
confidentiality_impact = tostring(props.confidentiality_impact),
exploitability_score = toreal(props.exploitability_score),
products = tostring(props.products),
technologies = tostring(props.technologies),
vendors = tostring(props.vendors),
confidence_score = toint(confidence),
servers = tostring(props.servers),
vulnerability_type = tostring(props.vulnerability_type),
vulnerability_category = tostring(props.vulnerability_category),
NetworkIPs = tostring(props.ips),
ProviderName ='CYFIRMA',
ProductName ='DeCYFIR/DeTCT'
Stage 6: summarize
| summarize arg_max(
integrity_impact,
TimeGenerated,
id,
description,
confidence_score,
created,
modified,
attack_complexity,
cvss_score,
impact_score,
attack_vector,
privileges_required,
cvss_version,
user_interaction,
cvss_vector,
scope,
confidentiality_impact,
exploitability_score,
products,
technologies,
vendors,
ProviderName,
ProductName,
servers,
NetworkIPs,
vulnerability_type,
vulnerability_category
)
by name
Stage 7: where
| where confidence_score >= 60 and vulnerability_category == 'ATTACK_SURFACE_VULNERABILITY' and TimeGenerated between (ago(timeFrame) .. now())
Stage 8: project
| project
TimeGenerated,
name,
confidence_score,
integrity_impact,
attack_complexity,
cvss_score,
impact_score,
attack_vector,
UID = id,
description,
created,
modified,
privileges_required,
cvss_version,
user_interaction,
cvss_vector,
scope,
confidentiality_impact,
exploitability_score,
products,
technologies,
vendors,
ProviderName,
ProductName,
servers,
NetworkIPs,
vulnerability_type,
vulnerability_category
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
confidence_score | ge |
|
vulnerability_category | eq |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
NetworkIPs | project |
ProductName | project |
ProviderName | project |
TimeGenerated | project |
UID | project |
attack_complexity | project |
attack_vector | project |
confidence_score | project |
confidentiality_impact | project |
created | project |
cvss_score | project |
cvss_vector | project |
cvss_version | project |
description | project |
exploitability_score | project |
impact_score | project |
integrity_impact | project |
modified | project |
name | project |
privileges_required | project |
products | project |
scope | project |
servers | project |
technologies | project |
user_interaction | project |
vendors | project |
vulnerability_category | project |
vulnerability_type | project |