CYFIRMA - Social and Public Exposure - Exposure of PIICII in Public Domain Rule
Id | 52d71822-41e4-4c21-b36f-400294f2b43a |
Rulename | CYFIRMA - Social and Public Exposure - Exposure of PII/CII in Public Domain Rule |
Description | “This analytics rule detects high severity alerts from CYFIRMA indicating exposure of Personally Identifiable Information (PII) or Confidential Information (CII) in public or unsecured sources. Such leaks may include email addresses, credentials, phone numbers, or other sensitive personal or organizational data. These exposures can lead to identity theft, phishing, credential compromise, or regulatory non-compliance. Investigate promptly and initiate remediation steps including user notifications and credential resets.” |
Severity | High |
Tactics | InitialAccess Exfiltration Collection CredentialAccess |
Techniques | T1078 T1003 T1213 T1537 |
Required data connectors | CyfirmaDigitalRiskAlertsConnector |
Kind | Scheduled |
Query frequency | 5m |
Query period | 5m |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPEExposureOfPIICIIHighRule.yaml |
Version | 1.0.0 |
Arm template | 52d71822-41e4-4c21-b36f-400294f2b43a.json |
// High severity - Social and Public Exposure - Exposure of PII/CII in Public Domain
let timeFrame = 5m;
CyfirmaSPEPIIAndCIIAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
AssetType=asset_type,
AssetValue=signature,
Source=source,
Impact=impact,
Recommendation=recommendation,
PostedDate=posted_date,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT',
AlertTitle=Alert_title
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
AssetType,
AssetValue,
Source,
Impact,
Recommendation,
PostedDate,
ProductName,
ProviderName,
AlertTitle
tactics:
- InitialAccess
- Exfiltration
- Collection
- CredentialAccess
name: CYFIRMA - Social and Public Exposure - Exposure of PII/CII in Public Domain Rule
id: 52d71822-41e4-4c21-b36f-400294f2b43a
requiredDataConnectors:
- connectorId: CyfirmaDigitalRiskAlertsConnector
dataTypes:
- CyfirmaSPEPIIAndCIIAlerts_CL
query: |
// High severity - Social and Public Exposure - Exposure of PII/CII in Public Domain
let timeFrame = 5m;
CyfirmaSPEPIIAndCIIAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
AssetType=asset_type,
AssetValue=signature,
Source=source,
Impact=impact,
Recommendation=recommendation,
PostedDate=posted_date,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT',
AlertTitle=Alert_title
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
AssetType,
AssetValue,
Source,
Impact,
Recommendation,
PostedDate,
ProductName,
ProviderName,
AlertTitle
eventGroupingSettings:
aggregationKind: AlertPerResult
relevantTechniques:
- T1078
- T1003
- T1213
- T1537
incidentConfiguration:
createIncident: true
groupingConfiguration:
matchingMethod: AllEntities
reopenClosedIncident: false
lookbackDuration: 5h
enabled: false
description: |
"This analytics rule detects high severity alerts from CYFIRMA indicating exposure of Personally Identifiable Information (PII) or Confidential Information (CII) in public or unsecured sources.
Such leaks may include email addresses, credentials, phone numbers, or other sensitive personal or organizational data.
These exposures can lead to identity theft, phishing, credential compromise, or regulatory non-compliance.
Investigate promptly and initiate remediation steps including user notifications and credential resets."
triggerOperator: gt
queryPeriod: 5m
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPEExposureOfPIICIIHighRule.yaml
version: 1.0.0
alertDetailsOverride:
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: ProviderName
value: ProviderName
alertDisplayNameFormat: 'CYFIRMA - High Severity: Exposure of PII/CII in Public Domain - {{AlertTitle}} '
alertDescriptionFormat: '{{Description}} '
triggerThreshold: 0
queryFrequency: 5m
kind: Scheduled
status: Available
customDetails:
Source: Source
Impact: Impact
AssetType: AssetType
AssetValue: AssetValue
TimeGenerated: TimeGenerated
Description: Description
AlertUID: AlertUID
Recommendation: Recommendation
UID: UID
LastSeen: LastSeen
RiskScore: RiskScore
FirstSeen: FirstSeen
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/52d71822-41e4-4c21-b36f-400294f2b43a')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/52d71822-41e4-4c21-b36f-400294f2b43a')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{Description}} ",
"alertDisplayNameFormat": "CYFIRMA - High Severity: Exposure of PII/CII in Public Domain - {{AlertTitle}} ",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "52d71822-41e4-4c21-b36f-400294f2b43a",
"customDetails": {
"AlertUID": "AlertUID",
"AssetType": "AssetType",
"AssetValue": "AssetValue",
"Description": "Description",
"FirstSeen": "FirstSeen",
"Impact": "Impact",
"LastSeen": "LastSeen",
"Recommendation": "Recommendation",
"RiskScore": "RiskScore",
"Source": "Source",
"TimeGenerated": "TimeGenerated",
"UID": "UID"
},
"description": "\"This analytics rule detects high severity alerts from CYFIRMA indicating exposure of Personally Identifiable Information (PII) or Confidential Information (CII) in public or unsecured sources. \nSuch leaks may include email addresses, credentials, phone numbers, or other sensitive personal or organizational data. \nThese exposures can lead to identity theft, phishing, credential compromise, or regulatory non-compliance. \nInvestigate promptly and initiate remediation steps including user notifications and credential resets.\" \n",
"displayName": "CYFIRMA - Social and Public Exposure - Exposure of PII/CII in Public Domain Rule",
"enabled": true,
"entityMappings": null,
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPEExposureOfPIICIIHighRule.yaml",
"query": "// High severity - Social and Public Exposure - Exposure of PII/CII in Public Domain\nlet timeFrame = 5m;\nCyfirmaSPEPIIAndCIIAlerts_CL\n| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())\n| extend\n Description=description,\n FirstSeen=first_seen,\n LastSeen=last_seen,\n RiskScore=risk_score,\n AlertUID=alert_uid,\n UID=uid,\n AssetType=asset_type,\n AssetValue=signature,\n Source=source,\n Impact=impact,\n Recommendation=recommendation,\n PostedDate=posted_date,\n ProviderName='CYFIRMA',\n ProductName='DeCYFIR/DeTCT',\n AlertTitle=Alert_title\n| project\n TimeGenerated,\n Description,\n RiskScore,\n FirstSeen,\n LastSeen,\n AlertUID,\n UID,\n AssetType,\n AssetValue,\n Source,\n Impact,\n Recommendation,\n PostedDate,\n ProductName,\n ProviderName,\n AlertTitle\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Collection",
"CredentialAccess",
"Exfiltration",
"InitialAccess"
],
"techniques": [
"T1003",
"T1078",
"T1213",
"T1537"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}