Cyble Vision Alerts Darkweb Data Breaches

Back


Id	588a2ee5-978a-43f7-9c10-6d76d82026ef
Rulename	Cyble Vision Alerts Darkweb Data Breaches
Description	Detects darkweb credential leakage and data breach records from CybleVision. Extracts leaked username, email, password hashes, registration dates, and metadata using the Alerts_DarkwebDataBreaches parser. Incidents grouped per service.
Severity	Low
Tactics	Reconnaissance InitialAccess Exfiltration Collection
Techniques	T1589 T1078 T1048 T1530
Required data connectors	CybleVisionAlerts
Kind	Scheduled
Query frequency	30m
Query period	30m
Trigger threshold	0
Trigger operator	GreaterThan
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Darkweb_Data_Breaches.yaml
Version	1.0.0
Arm template	588a2ee5-978a-43f7-9c10-6d76d82026ef.json

KQL

Alerts_darkweb_data_breaches 
| where Service == "darkweb_data_breaches" 
| extend  MappedSeverity = Severity

YAML

customDetails:
  UserName: DB_Username
  Tags: DB_Tags
  Service: Service
  BreachSource: Breach_Source
  Status: Status
  PasswordHash: DB_PasswordHash
  AlertID: AlertID
  S3Key: DB_S3Key
  BreachDate: DB_Date
  LeakedEmail: DB_Email
  DisplayName: DB_DisplayName
  MappedSeverity: Severity
  Structured: DB_Structured
  RegistrationDate: DB_RegistrationDate
kind: Scheduled
severity: Low
requiredDataConnectors:
- connectorId: CybleVisionAlerts
  dataTypes:
  - CybleVisionAlerts_CL
description: |
    'Detects darkweb credential leakage and data breach records from CybleVision. Extracts leaked username, email, password hashes, registration dates, and metadata using the Alerts_DarkwebDataBreaches parser. Incidents grouped per service.'
triggerOperator: GreaterThan
alertDetailsOverride:
  alertDynamicProperties: []
  alertDisplayNameFormat: CybleVision Darkweb Breach for {{DB_Email}}
  alertDescriptionFormat: |
        Username {{DB_Username}} Registration date {{DB_RegistrationDate}} Breach source {{Breach_Source}}
status: Available
enabled: true
query: |
  Alerts_darkweb_data_breaches 
  | where Service == "darkweb_data_breaches" 
  | extend  MappedSeverity = Severity  
triggerThreshold: 0
relevantTechniques:
- T1589
- T1078
- T1048
- T1530
version: 1.0.0
queryFrequency: 30m
subTechniques: []
suppressionDuration: PT5H
queryPeriod: 30m
tactics:
- Reconnaissance
- InitialAccess
- Exfiltration
- Collection
name: Cyble Vision Alerts Darkweb Data Breaches
id: 588a2ee5-978a-43f7-9c10-6d76d82026ef
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: DB_Username
  entityType: Account
- fieldMappings:
  - identifier: DomainName
    columnName: Domain
  entityType: DNS
- fieldMappings:
  - identifier: Address
    columnName: IP
  entityType: IP
- fieldMappings:
  - identifier: MailboxPrimaryAddress
    columnName: DB_Email
  entityType: Mailbox
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Darkweb_Data_Breaches.yaml
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    enabled: false
    reopenClosedIncident: false
    lookbackDuration: PT5H

ARM