CYFIRMA - Data Breach and Web Monitoring - Dark Web Medium Rule

// Medium severity - Data Breach and Web Monitoring - Dark Web
let timeFrame = 5m;
CyfirmaDBWMDarkWebAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=signature,
    Impact=impact,
    Recommendation='',
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT',
    AlertTitle=Alert_title
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Impact,
    ProductName,
    ProviderName,
    AlertTitle

relevantTechniques:
- T1552.001
- T1555.003
- T1212
- T1119
- T1048
- T1486
eventGroupingSettings:
  aggregationKind: AlertPerResult
version: 1.0.1
id: c0afeda7-4832-49a6-8d03-a5d137d513b5
severity: Medium
kind: Scheduled
queryFrequency: 5m
description: |
  "Detects critical alerts from CYFIRMA related to sensitive data or credentials leaked on dark web forums. 
  These events often indicate unauthorized access or compromise of enterprise systems, cloud environments, or identity platforms. 
  Immediate investigation is required to assess breach scope and initiate mitigation, including credential resets, access reviews, and threat actor tracking."  
requiredDataConnectors:
- connectorId: CyfirmaDigitalRiskAlertsConnector
  dataTypes:
  - CyfirmaDBWMDarkWebAlerts_CL
triggerOperator: gt
name: CYFIRMA - Data Breach and Web Monitoring - Dark Web Medium Rule
tactics:
- CredentialAccess
- Collection
- Exfiltration
- Impact
alertDetailsOverride:
  alertDescriptionFormat: '{{Description}} '
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
  alertDisplayNameFormat: 'CYFIRMA - Medium Severity Alert: Critical Data Exposure of Enterprise SSO on Dark Web- {{AlertTitle}} '
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMDarkWebMediumRule.yaml
triggerThreshold: 0
queryPeriod: 5m
query: |
  // Medium severity - Data Breach and Web Monitoring - Dark Web
  let timeFrame = 5m;
  CyfirmaDBWMDarkWebAlerts_CL
  | where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=signature,
      Impact=impact,
      Recommendation='',
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT',
      AlertTitle=Alert_title
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Impact,
      ProductName,
      ProviderName,
      AlertTitle  
status: Available
customDetails:
  Impact: Impact
  AssetType: AssetType
  FirstSeen: FirstSeen
  RiskScore: RiskScore
  LastSeen: LastSeen
  AssetValue: AssetValue
  TimeGenerated: TimeGenerated
  AlertUID: AlertUID
  UID: UID
  Description: Description
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: PT5H
    enabled: false
    reopenClosedIncident: false
    matchingMethod: AllEntities