Cyble Vision Alerts Darkweb Data Breaches

Back


Id	588a2ee5-978a-43f7-9c10-6d76d82026ef
Rulename	Cyble Vision Alerts Darkweb Data Breaches
Description	Detects darkweb credential leakage and data breach records from CybleVision. Extracts leaked username, email, password hashes, registration dates, and metadata using the Alerts_DarkwebDataBreaches parser. Incidents grouped per service.
Severity	Low
Tactics	Reconnaissance InitialAccess Exfiltration Collection
Techniques	T1589 T1078 T1048 T1530
Required data connectors	CybleVisionAlerts
Kind	Scheduled
Query frequency	30m
Query period	30m
Trigger threshold	0
Trigger operator	GreaterThan
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Darkweb_Data_Breaches.yaml
Version	1.0.0
Arm template	588a2ee5-978a-43f7-9c10-6d76d82026ef.json

KQL

Alerts_darkweb_data_breaches 
| where Service == "darkweb_data_breaches" 
| extend  MappedSeverity = Severity

YAML

version: 1.0.0
severity: Low
suppressionDuration: PT5H
name: Cyble Vision Alerts Darkweb Data Breaches
query: |
  Alerts_darkweb_data_breaches 
  | where Service == "darkweb_data_breaches" 
  | extend  MappedSeverity = Severity  
status: Available
eventGroupingSettings:
  aggregationKind: AlertPerResult
tactics:
- Reconnaissance
- InitialAccess
- Exfiltration
- Collection
triggerThreshold: 0
customDetails:
  RegistrationDate: DB_RegistrationDate
  MappedSeverity: Severity
  Service: Service
  AlertID: AlertID
  S3Key: DB_S3Key
  PasswordHash: DB_PasswordHash
  Status: Status
  DisplayName: DB_DisplayName
  UserName: DB_Username
  Structured: DB_Structured
  LeakedEmail: DB_Email
  BreachDate: DB_Date
  BreachSource: Breach_Source
  Tags: DB_Tags
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Darkweb_Data_Breaches.yaml
enabled: true
alertDetailsOverride:
  alertDynamicProperties: []
  alertDescriptionFormat: |
        Username {{DB_Username}} Registration date {{DB_RegistrationDate}} Breach source {{Breach_Source}}
  alertDisplayNameFormat: CybleVision Darkweb Breach for {{DB_Email}}
relevantTechniques:
- T1589
- T1078
- T1048
- T1530
queryPeriod: 30m
triggerOperator: GreaterThan
subTechniques: []
description: |
    'Detects darkweb credential leakage and data breach records from CybleVision. Extracts leaked username, email, password hashes, registration dates, and metadata using the Alerts_DarkwebDataBreaches parser. Incidents grouped per service.'
requiredDataConnectors:
- dataTypes:
  - CybleVisionAlerts_CL
  connectorId: CybleVisionAlerts
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: DB_Username
- entityType: DNS
  fieldMappings:
  - identifier: DomainName
    columnName: Domain
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IP
- entityType: Mailbox
  fieldMappings:
  - identifier: MailboxPrimaryAddress
    columnName: DB_Email
queryFrequency: 30m
kind: Scheduled
incidentConfiguration:
  groupingConfiguration:
    enabled: false
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
  createIncident: true
id: 588a2ee5-978a-43f7-9c10-6d76d82026ef

ARM