Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CYFIRMA - Social and Public Exposure - Exposure of PIICII in Public Domain Rule

Back
Idb484f224-687f-4406-af8a-ff019f9f2c24
RulenameCYFIRMA - Social and Public Exposure - Exposure of PII/CII in Public Domain Rule
Description“This analytics rule detects high severity alerts from CYFIRMA indicating exposure of Personally Identifiable Information (PII) or Confidential Information (CII) in public or unsecured sources.

Such leaks may include email addresses, credentials, phone numbers, or other sensitive personal or organizational data.

These exposures can lead to identity theft, phishing, credential compromise, or regulatory non-compliance.

Investigate promptly and initiate remediation steps including user notifications and credential resets.”
SeverityMedium
TacticsInitialAccess
Exfiltration
Collection
CredentialAccess
TechniquesT1078
T1003
T1213
T1537
Required data connectorsCyfirmaDigitalRiskAlertsConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPEExposureOfPIICIIMediumRule.yaml
Version1.0.0
Arm templateb484f224-687f-4406-af8a-ff019f9f2c24.json
Deploy To Azure
// Medium severity - Social and Public Exposure - Exposure of PII/CII in Public Domain
let timeFrame = 5m;
CyfirmaSPEPIIAndCIIAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=signature,
    Source=source,
    Impact=impact,
    Recommendation=recommendation,
    PostedDate=posted_date,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT',
    AlertTitle=Alert_title
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Source,
    Impact,
    Recommendation,
    PostedDate,
    ProductName,
    ProviderName,
    AlertTitle
tactics:
- InitialAccess
- Exfiltration
- Collection
- CredentialAccess
name: CYFIRMA - Social and Public Exposure - Exposure of PII/CII in Public Domain Rule
id: b484f224-687f-4406-af8a-ff019f9f2c24
requiredDataConnectors:
- connectorId: CyfirmaDigitalRiskAlertsConnector
  dataTypes:
  - CyfirmaSPEPIIAndCIIAlerts_CL
query: |
  // Medium severity - Social and Public Exposure - Exposure of PII/CII in Public Domain
  let timeFrame = 5m;
  CyfirmaSPEPIIAndCIIAlerts_CL
  | where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=signature,
      Source=source,
      Impact=impact,
      Recommendation=recommendation,
      PostedDate=posted_date,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT',
      AlertTitle=Alert_title
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Source,
      Impact,
      Recommendation,
      PostedDate,
      ProductName,
      ProviderName,
      AlertTitle  
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1078
- T1003
- T1213
- T1537
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    reopenClosedIncident: false
    lookbackDuration: 5h
    enabled: false
description: |
  "This analytics rule detects high severity alerts from CYFIRMA indicating exposure of Personally Identifiable Information (PII) or Confidential Information (CII) in public or unsecured sources. 
  Such leaks may include email addresses, credentials, phone numbers, or other sensitive personal or organizational data. 
  These exposures can lead to identity theft, phishing, credential compromise, or regulatory non-compliance. 
  Investigate promptly and initiate remediation steps including user notifications and credential resets."      
triggerOperator: gt
queryPeriod: 5m
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPEExposureOfPIICIIMediumRule.yaml
version: 1.0.0
alertDetailsOverride:
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
  alertDisplayNameFormat: 'CYFIRMA - Medium Severity: Exposure of PII/CII in Public Domain - {{AlertTitle}} '
  alertDescriptionFormat: '{{Description}} '
triggerThreshold: 0
queryFrequency: 5m
kind: Scheduled
status: Available
customDetails:
  Source: Source
  Impact: Impact
  AssetType: AssetType
  AssetValue: AssetValue
  TimeGenerated: TimeGenerated
  Description: Description
  AlertUID: AlertUID
  Recommendation: Recommendation
  UID: UID
  LastSeen: LastSeen
  RiskScore: RiskScore
  FirstSeen: FirstSeen
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b484f224-687f-4406-af8a-ff019f9f2c24')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b484f224-687f-4406-af8a-ff019f9f2c24')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{Description}} ",
          "alertDisplayNameFormat": "CYFIRMA - Medium Severity: Exposure of PII/CII in Public Domain - {{AlertTitle}} ",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            },
            {
              "alertProperty": "ProviderName",
              "value": "ProviderName"
            }
          ]
        },
        "alertRuleTemplateName": "b484f224-687f-4406-af8a-ff019f9f2c24",
        "customDetails": {
          "AlertUID": "AlertUID",
          "AssetType": "AssetType",
          "AssetValue": "AssetValue",
          "Description": "Description",
          "FirstSeen": "FirstSeen",
          "Impact": "Impact",
          "LastSeen": "LastSeen",
          "Recommendation": "Recommendation",
          "RiskScore": "RiskScore",
          "Source": "Source",
          "TimeGenerated": "TimeGenerated",
          "UID": "UID"
        },
        "description": "\"This analytics rule detects high severity alerts from CYFIRMA indicating exposure of Personally Identifiable Information (PII) or Confidential Information (CII) in public or unsecured sources. \nSuch leaks may include email addresses, credentials, phone numbers, or other sensitive personal or organizational data. \nThese exposures can lead to identity theft, phishing, credential compromise, or regulatory non-compliance. \nInvestigate promptly and initiate remediation steps including user notifications and credential resets.\"    \n",
        "displayName": "CYFIRMA - Social and Public Exposure - Exposure of PII/CII in Public Domain Rule",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPEExposureOfPIICIIMediumRule.yaml",
        "query": "// Medium severity - Social and Public Exposure - Exposure of PII/CII in Public Domain\nlet timeFrame = 5m;\nCyfirmaSPEPIIAndCIIAlerts_CL\n| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())\n| extend\n    Description=description,\n    FirstSeen=first_seen,\n    LastSeen=last_seen,\n    RiskScore=risk_score,\n    AlertUID=alert_uid,\n    UID=uid,\n    AssetType=asset_type,\n    AssetValue=signature,\n    Source=source,\n    Impact=impact,\n    Recommendation=recommendation,\n    PostedDate=posted_date,\n    ProviderName='CYFIRMA',\n    ProductName='DeCYFIR/DeTCT',\n    AlertTitle=Alert_title\n| project\n    TimeGenerated,\n    Description,\n    RiskScore,\n    FirstSeen,\n    LastSeen,\n    AlertUID,\n    UID,\n    AssetType,\n    AssetValue,\n    Source,\n    Impact,\n    Recommendation,\n    PostedDate,\n    ProductName,\n    ProviderName,\n    AlertTitle\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "CredentialAccess",
          "Exfiltration",
          "InitialAccess"
        ],
        "techniques": [
          "T1003",
          "T1078",
          "T1213",
          "T1537"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}