CYFIRMA - Social and Public Exposure - Exposure of PIICII in Public Domain Rule

// Medium severity - Social and Public Exposure - Exposure of PII/CII in Public Domain
let timeFrame = 5m;
CyfirmaSPEPIIAndCIIAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=signature,
    Source=source,
    Impact=impact,
    Recommendation=recommendation,
    PostedDate=posted_date,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT',
    AlertTitle=Alert_title
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Source,
    Impact,
    Recommendation,
    PostedDate,
    ProductName,
    ProviderName,
    AlertTitle

version: 1.0.1
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPEExposureOfPIICIIMediumRule.yaml
name: CYFIRMA - Social and Public Exposure - Exposure of PII/CII in Public Domain Rule
triggerThreshold: 0
tactics:
- InitialAccess
- Exfiltration
- Collection
- CredentialAccess
severity: Medium
status: Available
kind: Scheduled
requiredDataConnectors:
- dataTypes:
  - CyfirmaSPEPIIAndCIIAlerts_CL
  connectorId: CyfirmaDigitalRiskAlertsConnector
customDetails:
  Impact: Impact
  AssetType: AssetType
  LastSeen: LastSeen
  RiskScore: RiskScore
  UID: UID
  Recommendation: Recommendation
  AssetValue: AssetValue
  FirstSeen: FirstSeen
  TimeGenerated: TimeGenerated
  Source: Source
  AlertUID: AlertUID
  Description: Description
id: b484f224-687f-4406-af8a-ff019f9f2c24
query: |
  // Medium severity - Social and Public Exposure - Exposure of PII/CII in Public Domain
  let timeFrame = 5m;
  CyfirmaSPEPIIAndCIIAlerts_CL
  | where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=signature,
      Source=source,
      Impact=impact,
      Recommendation=recommendation,
      PostedDate=posted_date,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT',
      AlertTitle=Alert_title
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Source,
      Impact,
      Recommendation,
      PostedDate,
      ProductName,
      ProviderName,
      AlertTitle  
alertDetailsOverride:
  alertDisplayNameFormat: 'CYFIRMA - Medium Severity: Exposure of PII/CII in Public Domain - {{AlertTitle}} '
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
  alertDescriptionFormat: '{{Description}} '
queryPeriod: 5m
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: AllEntities
    enabled: false
    lookbackDuration: PT5H
triggerOperator: gt
relevantTechniques:
- T1078
- T1003
- T1213
- T1537
description: |
  "This analytics rule detects high severity alerts from CYFIRMA indicating exposure of Personally Identifiable Information (PII) or Confidential Information (CII) in public or unsecured sources. 
  Such leaks may include email addresses, credentials, phone numbers, or other sensitive personal or organizational data. 
  These exposures can lead to identity theft, phishing, credential compromise, or regulatory non-compliance. 
  Investigate promptly and initiate remediation steps including user notifications and credential resets."