Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CYFIRMA - Social and Public Exposure - Confidential Files Information Exposure Rule

Back
Id67e9c4aa-a2fa-4e4e-9272-1a8da41475c6
RulenameCYFIRMA - Social and Public Exposure - Confidential Files Information Exposure Rule
Description“This rule detects high-severity alerts from CYFIRMA regarding exposure of confidential files or forms linked to internal or client-related information, publicly accessible on platforms.

These exposures could lead to data leakage, compliance violations, or targeted attacks.”
SeverityHigh
TacticsInitialAccess
Exfiltration
Collection
Reconnaissance
TechniquesT1189
T1213
T1593
T1567.002
Required data connectorsCyfirmaDigitalRiskAlertsConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPEConfidentialFilesHighRule.yaml
Version1.0.0
Arm template67e9c4aa-a2fa-4e4e-9272-1a8da41475c6.json
Deploy To Azure
// High severity - Social and Public Exposure - Confidential Files Information Exposure
let timeFrame = 5m;
CyfirmaSPEConfidentialFilesAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=signature,
    Impact=impact,
    Recommendation=recommendation,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT',
    AlertTitle=Alert_title
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Impact,
    Recommendation,
    ProductName,
    ProviderName,
    AlertTitle
tactics:
- InitialAccess
- Exfiltration
- Collection
- Reconnaissance
name: CYFIRMA - Social and Public Exposure - Confidential Files Information Exposure Rule
id: 67e9c4aa-a2fa-4e4e-9272-1a8da41475c6
requiredDataConnectors:
- connectorId: CyfirmaDigitalRiskAlertsConnector
  dataTypes:
  - CyfirmaSPEConfidentialFilesAlerts_CL
query: |
  // High severity - Social and Public Exposure - Confidential Files Information Exposure
  let timeFrame = 5m;
  CyfirmaSPEConfidentialFilesAlerts_CL
  | where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=signature,
      Impact=impact,
      Recommendation=recommendation,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT',
      AlertTitle=Alert_title
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Impact,
      Recommendation,
      ProductName,
      ProviderName,
      AlertTitle  
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1189
- T1213
- T1593
- T1567.002
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    reopenClosedIncident: false
    lookbackDuration: 5h
    enabled: false
description: |
  "This rule detects high-severity alerts from CYFIRMA regarding exposure of confidential files or forms linked to internal or client-related information, publicly accessible on platforms. 
  These exposures could lead to data leakage, compliance violations, or targeted attacks."  
triggerOperator: gt
queryPeriod: 5m
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPEConfidentialFilesHighRule.yaml
version: 1.0.0
alertDetailsOverride:
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
  alertDisplayNameFormat: 'Cyfirma - High Severity Alert: Confidential Files Information Exposure on Public Platforms - {{AlertTitle}}  '
  alertDescriptionFormat: '{{Description}} '
triggerThreshold: 0
queryFrequency: 5m
kind: Scheduled
status: Available
customDetails:
  RiskScore: RiskScore
  AssetType: AssetType
  FirstSeen: FirstSeen
  Recommendation: Recommendation
  Impact: Impact
  TimeGenerated: TimeGenerated
  AssetValue: AssetValue
  Description: Description
  LastSeen: LastSeen
  AlertUID: AlertUID
  UID: UID
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/67e9c4aa-a2fa-4e4e-9272-1a8da41475c6')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/67e9c4aa-a2fa-4e4e-9272-1a8da41475c6')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{Description}} ",
          "alertDisplayNameFormat": "Cyfirma - High Severity Alert: Confidential Files Information Exposure on Public Platforms - {{AlertTitle}}  ",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            },
            {
              "alertProperty": "ProviderName",
              "value": "ProviderName"
            }
          ]
        },
        "alertRuleTemplateName": "67e9c4aa-a2fa-4e4e-9272-1a8da41475c6",
        "customDetails": {
          "AlertUID": "AlertUID",
          "AssetType": "AssetType",
          "AssetValue": "AssetValue",
          "Description": "Description",
          "FirstSeen": "FirstSeen",
          "Impact": "Impact",
          "LastSeen": "LastSeen",
          "Recommendation": "Recommendation",
          "RiskScore": "RiskScore",
          "TimeGenerated": "TimeGenerated",
          "UID": "UID"
        },
        "description": "\"This rule detects high-severity alerts from CYFIRMA regarding exposure of confidential files or forms linked to internal or client-related information, publicly accessible on platforms. \nThese exposures could lead to data leakage, compliance violations, or targeted attacks.\"\n",
        "displayName": "CYFIRMA - Social and Public Exposure - Confidential Files Information Exposure Rule",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPEConfidentialFilesHighRule.yaml",
        "query": "// High severity - Social and Public Exposure - Confidential Files Information Exposure\nlet timeFrame = 5m;\nCyfirmaSPEConfidentialFilesAlerts_CL\n| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())\n| extend\n    Description=description,\n    FirstSeen=first_seen,\n    LastSeen=last_seen,\n    RiskScore=risk_score,\n    AlertUID=alert_uid,\n    UID=uid,\n    AssetType=asset_type,\n    AssetValue=signature,\n    Impact=impact,\n    Recommendation=recommendation,\n    ProviderName='CYFIRMA',\n    ProductName='DeCYFIR/DeTCT',\n    AlertTitle=Alert_title\n| project\n    TimeGenerated,\n    Description,\n    RiskScore,\n    FirstSeen,\n    LastSeen,\n    AlertUID,\n    UID,\n    AssetType,\n    AssetValue,\n    Impact,\n    Recommendation,\n    ProductName,\n    ProviderName,\n    AlertTitle\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [
          "T1567.002"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "Exfiltration",
          "InitialAccess",
          "Reconnaissance"
        ],
        "techniques": [
          "T1189",
          "T1213",
          "T1567",
          "T1593"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}