CYFIRMA - Data Breach and Web Monitoring - Dark Web High Rule

// High severity - Data Breach and Web Monitoring - Dark Web
let timeFrame = 5m;
CyfirmaDBWMDarkWebAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=signature,
    Impact=impact,
    Recommendation='',
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT',
    AlertTitle=Alert_title
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Impact,
    ProductName,
    ProviderName,
    AlertTitle

eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - CyfirmaDBWMDarkWebAlerts_CL
  connectorId: CyfirmaDigitalRiskAlertsConnector
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMDarkWebHighRule.yaml
customDetails:
  LastSeen: LastSeen
  RiskScore: RiskScore
  Impact: Impact
  AssetValue: AssetValue
  AssetType: AssetType
  UID: UID
  AlertUID: AlertUID
  Description: Description
  FirstSeen: FirstSeen
  TimeGenerated: TimeGenerated
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
name: CYFIRMA - Data Breach and Web Monitoring - Dark Web High Rule
alertDetailsOverride:
  alertDisplayNameFormat: 'CYFIRMA - High Severity Alert: Critical Data Exposure of Enterprise SSO on Dark Web - {{AlertTitle}} '
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
  alertDescriptionFormat: '{{Description}} '
relevantTechniques:
- T1552.001
- T1555.003
- T1212
- T1119
- T1048
- T1486
status: Available
version: 1.0.1
queryPeriod: 5m
kind: Scheduled
id: c3f1f55b-7e54-4416-8afc-7d7876b29b0f
query: |
  // High severity - Data Breach and Web Monitoring - Dark Web
  let timeFrame = 5m;
  CyfirmaDBWMDarkWebAlerts_CL
  | where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=signature,
      Impact=impact,
      Recommendation='',
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT',
      AlertTitle=Alert_title
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Impact,
      ProductName,
      ProviderName,
      AlertTitle  
description: |
  "Detects critical alerts from CYFIRMA related to sensitive data or credentials leaked on dark web forums. 
  These events often indicate unauthorized access or compromise of enterprise systems, cloud environments, or identity platforms. 
  Immediate investigation is required to assess breach scope and initiate mitigation, including credential resets, access reviews, and threat actor tracking."  
queryFrequency: 5m
severity: High
triggerOperator: gt
tactics:
- CredentialAccess
- Collection
- Exfiltration
- Impact