CYFIRMA - Social and Public Exposure - Confidential Files Information Exposure Rule

// High severity - Social and Public Exposure - Confidential Files Information Exposure
let timeFrame = 5m;
CyfirmaSPEConfidentialFilesAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=signature,
    Impact=impact,
    Recommendation=recommendation,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT',
    AlertTitle=Alert_title
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Impact,
    Recommendation,
    ProductName,
    ProviderName,
    AlertTitle

relevantTechniques:
- T1189
- T1213
- T1593
- T1567.002
queryPeriod: 5m
triggerOperator: gt
eventGroupingSettings:
  aggregationKind: AlertPerResult
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPEConfidentialFilesHighRule.yaml
description: |
  "This rule detects high-severity alerts from CYFIRMA regarding exposure of confidential files or forms linked to internal or client-related information, publicly accessible on platforms. 
  These exposures could lead to data leakage, compliance violations, or targeted attacks."  
tactics:
- InitialAccess
- Exfiltration
- Collection
- Reconnaissance
severity: High
status: Available
kind: Scheduled
triggerThreshold: 0
queryFrequency: 5m
alertDetailsOverride:
  alertDisplayNameFormat: 'Cyfirma - High Severity Alert: Confidential Files Information Exposure on Public Platforms - {{AlertTitle}}  '
  alertDescriptionFormat: '{{Description}} '
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
requiredDataConnectors:
- dataTypes:
  - CyfirmaSPEConfidentialFilesAlerts_CL
  connectorId: CyfirmaDigitalRiskAlertsConnector
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
id: 67e9c4aa-a2fa-4e4e-9272-1a8da41475c6
customDetails:
  LastSeen: LastSeen
  UID: UID
  Impact: Impact
  AssetType: AssetType
  Recommendation: Recommendation
  FirstSeen: FirstSeen
  Description: Description
  TimeGenerated: TimeGenerated
  AssetValue: AssetValue
  AlertUID: AlertUID
  RiskScore: RiskScore
query: |
  // High severity - Social and Public Exposure - Confidential Files Information Exposure
  let timeFrame = 5m;
  CyfirmaSPEConfidentialFilesAlerts_CL
  | where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=signature,
      Impact=impact,
      Recommendation=recommendation,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT',
      AlertTitle=Alert_title
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Impact,
      Recommendation,
      ProductName,
      ProviderName,
      AlertTitle  
name: CYFIRMA - Social and Public Exposure - Confidential Files Information Exposure Rule