CYFIRMA - Social and Public Exposure - Exposure of PIICII in Public Domain Rule
Id | 52d71822-41e4-4c21-b36f-400294f2b43a |
Rulename | CYFIRMA - Social and Public Exposure - Exposure of PII/CII in Public Domain Rule |
Description | “This analytics rule detects high severity alerts from CYFIRMA indicating exposure of Personally Identifiable Information (PII) or Confidential Information (CII) in public or unsecured sources. Such leaks may include email addresses, credentials, phone numbers, or other sensitive personal or organizational data. These exposures can lead to identity theft, phishing, credential compromise, or regulatory non-compliance. Investigate promptly and initiate remediation steps including user notifications and credential resets.” |
Severity | High |
Tactics | InitialAccess Exfiltration Collection CredentialAccess |
Techniques | T1078 T1003 T1213 T1537 |
Required data connectors | CyfirmaDigitalRiskAlertsConnector |
Kind | Scheduled |
Query frequency | 5m |
Query period | 5m |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPEExposureOfPIICIIHighRule.yaml |
Version | 1.0.1 |
Arm template | 52d71822-41e4-4c21-b36f-400294f2b43a.json |
// High severity - Social and Public Exposure - Exposure of PII/CII in Public Domain
let timeFrame = 5m;
CyfirmaSPEPIIAndCIIAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
AssetType=asset_type,
AssetValue=signature,
Source=source,
Impact=impact,
Recommendation=recommendation,
PostedDate=posted_date,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT',
AlertTitle=Alert_title
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
AssetType,
AssetValue,
Source,
Impact,
Recommendation,
PostedDate,
ProductName,
ProviderName,
AlertTitle
name: CYFIRMA - Social and Public Exposure - Exposure of PII/CII in Public Domain Rule
eventGroupingSettings:
aggregationKind: AlertPerResult
alertDetailsOverride:
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: ProviderName
value: ProviderName
alertDisplayNameFormat: 'CYFIRMA - High Severity: Exposure of PII/CII in Public Domain - {{AlertTitle}} '
alertDescriptionFormat: '{{Description}} '
id: 52d71822-41e4-4c21-b36f-400294f2b43a
requiredDataConnectors:
- connectorId: CyfirmaDigitalRiskAlertsConnector
dataTypes:
- CyfirmaSPEPIIAndCIIAlerts_CL
severity: High
triggerThreshold: 0
version: 1.0.1
description: |
"This analytics rule detects high severity alerts from CYFIRMA indicating exposure of Personally Identifiable Information (PII) or Confidential Information (CII) in public or unsecured sources.
Such leaks may include email addresses, credentials, phone numbers, or other sensitive personal or organizational data.
These exposures can lead to identity theft, phishing, credential compromise, or regulatory non-compliance.
Investigate promptly and initiate remediation steps including user notifications and credential resets."
relevantTechniques:
- T1078
- T1003
- T1213
- T1537
kind: Scheduled
queryPeriod: 5m
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: false
reopenClosedIncident: false
matchingMethod: AllEntities
lookbackDuration: PT5H
tactics:
- InitialAccess
- Exfiltration
- Collection
- CredentialAccess
customDetails:
AlertUID: AlertUID
LastSeen: LastSeen
UID: UID
AssetType: AssetType
Impact: Impact
Description: Description
FirstSeen: FirstSeen
Recommendation: Recommendation
RiskScore: RiskScore
Source: Source
AssetValue: AssetValue
TimeGenerated: TimeGenerated
queryFrequency: 5m
status: Available
triggerOperator: gt
query: |
// High severity - Social and Public Exposure - Exposure of PII/CII in Public Domain
let timeFrame = 5m;
CyfirmaSPEPIIAndCIIAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
AssetType=asset_type,
AssetValue=signature,
Source=source,
Impact=impact,
Recommendation=recommendation,
PostedDate=posted_date,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT',
AlertTitle=Alert_title
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
AssetType,
AssetValue,
Source,
Impact,
Recommendation,
PostedDate,
ProductName,
ProviderName,
AlertTitle
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPEExposureOfPIICIIHighRule.yaml
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/52d71822-41e4-4c21-b36f-400294f2b43a')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/52d71822-41e4-4c21-b36f-400294f2b43a')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{Description}} ",
"alertDisplayNameFormat": "CYFIRMA - High Severity: Exposure of PII/CII in Public Domain - {{AlertTitle}} ",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "52d71822-41e4-4c21-b36f-400294f2b43a",
"customDetails": {
"AlertUID": "AlertUID",
"AssetType": "AssetType",
"AssetValue": "AssetValue",
"Description": "Description",
"FirstSeen": "FirstSeen",
"Impact": "Impact",
"LastSeen": "LastSeen",
"Recommendation": "Recommendation",
"RiskScore": "RiskScore",
"Source": "Source",
"TimeGenerated": "TimeGenerated",
"UID": "UID"
},
"description": "\"This analytics rule detects high severity alerts from CYFIRMA indicating exposure of Personally Identifiable Information (PII) or Confidential Information (CII) in public or unsecured sources. \nSuch leaks may include email addresses, credentials, phone numbers, or other sensitive personal or organizational data. \nThese exposures can lead to identity theft, phishing, credential compromise, or regulatory non-compliance. \nInvestigate promptly and initiate remediation steps including user notifications and credential resets.\" \n",
"displayName": "CYFIRMA - Social and Public Exposure - Exposure of PII/CII in Public Domain Rule",
"enabled": true,
"entityMappings": null,
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPEExposureOfPIICIIHighRule.yaml",
"query": "// High severity - Social and Public Exposure - Exposure of PII/CII in Public Domain\nlet timeFrame = 5m;\nCyfirmaSPEPIIAndCIIAlerts_CL\n| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())\n| extend\n Description=description,\n FirstSeen=first_seen,\n LastSeen=last_seen,\n RiskScore=risk_score,\n AlertUID=alert_uid,\n UID=uid,\n AssetType=asset_type,\n AssetValue=signature,\n Source=source,\n Impact=impact,\n Recommendation=recommendation,\n PostedDate=posted_date,\n ProviderName='CYFIRMA',\n ProductName='DeCYFIR/DeTCT',\n AlertTitle=Alert_title\n| project\n TimeGenerated,\n Description,\n RiskScore,\n FirstSeen,\n LastSeen,\n AlertUID,\n UID,\n AssetType,\n AssetValue,\n Source,\n Impact,\n Recommendation,\n PostedDate,\n ProductName,\n ProviderName,\n AlertTitle\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Collection",
"CredentialAccess",
"Exfiltration",
"InitialAccess"
],
"techniques": [
"T1003",
"T1078",
"T1213",
"T1537"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}