CYFIRMA - Data Breach and Web Monitoring - Dark Web Medium Rule

// Medium severity - Data Breach and Web Monitoring - Dark Web
let timeFrame = 5m;
CyfirmaDBWMDarkWebAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=signature,
    Impact=impact,
    Recommendation='',
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT',
    AlertTitle=Alert_title
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Impact,
    ProductName,
    ProviderName,
    AlertTitle

name: CYFIRMA - Data Breach and Web Monitoring - Dark Web Medium Rule
queryPeriod: 5m
triggerOperator: gt
kind: Scheduled
id: c0afeda7-4832-49a6-8d03-a5d137d513b5
eventGroupingSettings:
  aggregationKind: AlertPerResult
incidentConfiguration:
  groupingConfiguration:
    enabled: false
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: AllEntities
  createIncident: true
description: |
  "Detects critical alerts from CYFIRMA related to sensitive data or credentials leaked on dark web forums. 
  These events often indicate unauthorized access or compromise of enterprise systems, cloud environments, or identity platforms. 
  Immediate investigation is required to assess breach scope and initiate mitigation, including credential resets, access reviews, and threat actor tracking."  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMDarkWebMediumRule.yaml
triggerThreshold: 0
queryFrequency: 5m
requiredDataConnectors:
- dataTypes:
  - CyfirmaDBWMDarkWebAlerts_CL
  connectorId: CyfirmaDigitalRiskAlertsConnector
severity: Medium
version: 1.0.1
tactics:
- CredentialAccess
- Collection
- Exfiltration
- Impact
customDetails:
  UID: UID
  AssetValue: AssetValue
  LastSeen: LastSeen
  TimeGenerated: TimeGenerated
  RiskScore: RiskScore
  Impact: Impact
  FirstSeen: FirstSeen
  Description: Description
  AssetType: AssetType
  AlertUID: AlertUID
status: Available
query: |
  // Medium severity - Data Breach and Web Monitoring - Dark Web
  let timeFrame = 5m;
  CyfirmaDBWMDarkWebAlerts_CL
  | where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=signature,
      Impact=impact,
      Recommendation='',
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT',
      AlertTitle=Alert_title
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Impact,
      ProductName,
      ProviderName,
      AlertTitle  
alertDetailsOverride:
  alertDescriptionFormat: '{{Description}} '
  alertDisplayNameFormat: 'CYFIRMA - Medium Severity Alert: Critical Data Exposure of Enterprise SSO on Dark Web- {{AlertTitle}} '
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
relevantTechniques:
- T1552.001
- T1555.003
- T1212
- T1119
- T1048
- T1486