Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CYFIRMA - Data Breach and Web Monitoring - Dark Web Medium Rule

Back
Idc0afeda7-4832-49a6-8d03-a5d137d513b5
RulenameCYFIRMA - Data Breach and Web Monitoring - Dark Web Medium Rule
Description“Detects critical alerts from CYFIRMA related to sensitive data or credentials leaked on dark web forums.

These events often indicate unauthorized access or compromise of enterprise systems, cloud environments, or identity platforms.

Immediate investigation is required to assess breach scope and initiate mitigation, including credential resets, access reviews, and threat actor tracking.”
SeverityMedium
TacticsCredentialAccess
Collection
Exfiltration
Impact
TechniquesT1552.001
T1555.003
T1212
T1119
T1048
T1486
Required data connectorsCyfirmaDigitalRiskAlertsConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMDarkWebMediumRule.yaml
Version1.0.0
Arm templatec0afeda7-4832-49a6-8d03-a5d137d513b5.json
Deploy To Azure
// Medium severity - Data Breach and Web Monitoring - Dark Web
let timeFrame = 5m;
CyfirmaDBWMDarkWebAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=signature,
    Impact=impact,
    Recommendation='',
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT',
    AlertTitle=Alert_title
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Impact,
    ProductName,
    ProviderName,
    AlertTitle
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMDarkWebMediumRule.yaml
triggerThreshold: 0
severity: Medium
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 5h
    enabled: false
    matchingMethod: AllEntities
    reopenClosedIncident: false
queryFrequency: 5m
status: Available
customDetails:
  TimeGenerated: TimeGenerated
  LastSeen: LastSeen
  FirstSeen: FirstSeen
  Description: Description
  AlertUID: AlertUID
  AssetType: AssetType
  Impact: Impact
  AssetValue: AssetValue
  UID: UID
  RiskScore: RiskScore
relevantTechniques:
- T1552.001
- T1555.003
- T1212
- T1119
- T1048
- T1486
alertDetailsOverride:
  alertDisplayNameFormat: 'CYFIRMA - Medium Severity Alert: Critical Data Exposure of Enterprise SSO on Dark Web- {{AlertTitle}} '
  alertDescriptionFormat: '{{Description}} '
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
triggerOperator: gt
id: c0afeda7-4832-49a6-8d03-a5d137d513b5
requiredDataConnectors:
- connectorId: CyfirmaDigitalRiskAlertsConnector
  dataTypes:
  - CyfirmaDBWMDarkWebAlerts_CL
version: 1.0.0
name: CYFIRMA - Data Breach and Web Monitoring - Dark Web Medium Rule
eventGroupingSettings:
  aggregationKind: AlertPerResult
description: |
  "Detects critical alerts from CYFIRMA related to sensitive data or credentials leaked on dark web forums. 
  These events often indicate unauthorized access or compromise of enterprise systems, cloud environments, or identity platforms. 
  Immediate investigation is required to assess breach scope and initiate mitigation, including credential resets, access reviews, and threat actor tracking."  
query: |
  // Medium severity - Data Breach and Web Monitoring - Dark Web
  let timeFrame = 5m;
  CyfirmaDBWMDarkWebAlerts_CL
  | where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=signature,
      Impact=impact,
      Recommendation='',
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT',
      AlertTitle=Alert_title
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Impact,
      ProductName,
      ProviderName,
      AlertTitle  
tactics:
- CredentialAccess
- Collection
- Exfiltration
- Impact
queryPeriod: 5m
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c0afeda7-4832-49a6-8d03-a5d137d513b5')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c0afeda7-4832-49a6-8d03-a5d137d513b5')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{Description}} ",
          "alertDisplayNameFormat": "CYFIRMA - Medium Severity Alert: Critical Data Exposure of Enterprise SSO on Dark Web- {{AlertTitle}} ",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            },
            {
              "alertProperty": "ProviderName",
              "value": "ProviderName"
            }
          ]
        },
        "alertRuleTemplateName": "c0afeda7-4832-49a6-8d03-a5d137d513b5",
        "customDetails": {
          "AlertUID": "AlertUID",
          "AssetType": "AssetType",
          "AssetValue": "AssetValue",
          "Description": "Description",
          "FirstSeen": "FirstSeen",
          "Impact": "Impact",
          "LastSeen": "LastSeen",
          "RiskScore": "RiskScore",
          "TimeGenerated": "TimeGenerated",
          "UID": "UID"
        },
        "description": "\"Detects critical alerts from CYFIRMA related to sensitive data or credentials leaked on dark web forums. \nThese events often indicate unauthorized access or compromise of enterprise systems, cloud environments, or identity platforms. \nImmediate investigation is required to assess breach scope and initiate mitigation, including credential resets, access reviews, and threat actor tracking.\"\n",
        "displayName": "CYFIRMA - Data Breach and Web Monitoring - Dark Web Medium Rule",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMDarkWebMediumRule.yaml",
        "query": "// Medium severity - Data Breach and Web Monitoring - Dark Web\nlet timeFrame = 5m;\nCyfirmaDBWMDarkWebAlerts_CL\n| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())\n| extend\n    Description=description,\n    FirstSeen=first_seen,\n    LastSeen=last_seen,\n    RiskScore=risk_score,\n    AlertUID=alert_uid,\n    UID=uid,\n    AssetType=asset_type,\n    AssetValue=signature,\n    Impact=impact,\n    Recommendation='',\n    ProviderName='CYFIRMA',\n    ProductName='DeCYFIR/DeTCT',\n    AlertTitle=Alert_title\n| project\n    TimeGenerated,\n    Description,\n    RiskScore,\n    FirstSeen,\n    LastSeen,\n    AlertUID,\n    UID,\n    AssetType,\n    AssetValue,\n    Impact,\n    ProductName,\n    ProviderName,\n    AlertTitle\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [
          "T1552.001",
          "T1555.003"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "CredentialAccess",
          "Exfiltration",
          "Impact"
        ],
        "techniques": [
          "T1048",
          "T1119",
          "T1212",
          "T1486",
          "T1552",
          "T1555"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}