CYFIRMA - Social and Public Exposure - Exposure of PIICII in Public Domain Rule

// High severity - Social and Public Exposure - Exposure of PII/CII in Public Domain
let timeFrame = 5m;
CyfirmaSPEPIIAndCIIAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=signature,
    Source=source,
    Impact=impact,
    Recommendation=recommendation,
    PostedDate=posted_date,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT',
    AlertTitle=Alert_title
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Source,
    Impact,
    Recommendation,
    PostedDate,
    ProductName,
    ProviderName,
    AlertTitle

kind: Scheduled
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: AllEntities
    enabled: false
    reopenClosedIncident: false
    lookbackDuration: PT5H
  createIncident: true
requiredDataConnectors:
- connectorId: CyfirmaDigitalRiskAlertsConnector
  dataTypes:
  - CyfirmaSPEPIIAndCIIAlerts_CL
relevantTechniques:
- T1078
- T1003
- T1213
- T1537
query: |
  // High severity - Social and Public Exposure - Exposure of PII/CII in Public Domain
  let timeFrame = 5m;
  CyfirmaSPEPIIAndCIIAlerts_CL
  | where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=signature,
      Source=source,
      Impact=impact,
      Recommendation=recommendation,
      PostedDate=posted_date,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT',
      AlertTitle=Alert_title
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Source,
      Impact,
      Recommendation,
      PostedDate,
      ProductName,
      ProviderName,
      AlertTitle  
triggerThreshold: 0
customDetails:
  AssetValue: AssetValue
  TimeGenerated: TimeGenerated
  Source: Source
  LastSeen: LastSeen
  Description: Description
  FirstSeen: FirstSeen
  RiskScore: RiskScore
  UID: UID
  AlertUID: AlertUID
  Recommendation: Recommendation
  Impact: Impact
  AssetType: AssetType
alertDetailsOverride:
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
  alertDisplayNameFormat: 'CYFIRMA - High Severity: Exposure of PII/CII in Public Domain - {{AlertTitle}} '
  alertDescriptionFormat: '{{Description}} '
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPEExposureOfPIICIIHighRule.yaml
queryPeriod: 5m
tactics:
- InitialAccess
- Exfiltration
- Collection
- CredentialAccess
name: CYFIRMA - Social and Public Exposure - Exposure of PII/CII in Public Domain Rule
status: Available
eventGroupingSettings:
  aggregationKind: AlertPerResult
description: |
  "This analytics rule detects high severity alerts from CYFIRMA indicating exposure of Personally Identifiable Information (PII) or Confidential Information (CII) in public or unsecured sources. 
  Such leaks may include email addresses, credentials, phone numbers, or other sensitive personal or organizational data. 
  These exposures can lead to identity theft, phishing, credential compromise, or regulatory non-compliance. 
  Investigate promptly and initiate remediation steps including user notifications and credential resets."   
id: 52d71822-41e4-4c21-b36f-400294f2b43a
version: 1.0.1
triggerOperator: gt
queryFrequency: 5m
severity: High