CYFIRMA - Data Breach and Web Monitoring - Dark Web High Rule
| Id | c3f1f55b-7e54-4416-8afc-7d7876b29b0f |
| Rulename | CYFIRMA - Data Breach and Web Monitoring - Dark Web High Rule |
| Description | “Detects critical alerts from CYFIRMA related to sensitive data or credentials leaked on dark web forums. These events often indicate unauthorized access or compromise of enterprise systems, cloud environments, or identity platforms. Immediate investigation is required to assess breach scope and initiate mitigation, including credential resets, access reviews, and threat actor tracking.” |
| Severity | High |
| Tactics | CredentialAccess Collection Exfiltration Impact |
| Techniques | T1552.001 T1555.003 T1212 T1119 T1048 T1486 |
| Required data connectors | CyfirmaDigitalRiskAlertsConnector |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMDarkWebHighRule.yaml |
| Version | 1.0.0 |
| Arm template | c3f1f55b-7e54-4416-8afc-7d7876b29b0f.json |
// High severity - Data Breach and Web Monitoring - Dark Web
let timeFrame = 5m;
CyfirmaDBWMDarkWebAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
AssetType=asset_type,
AssetValue=signature,
Impact=impact,
Recommendation='',
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT',
AlertTitle=Alert_title
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
AssetType,
AssetValue,
Impact,
ProductName,
ProviderName,
AlertTitle
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMDarkWebHighRule.yaml
triggerThreshold: 0
severity: High
incidentConfiguration:
createIncident: true
groupingConfiguration:
lookbackDuration: 5h
enabled: false
matchingMethod: AllEntities
reopenClosedIncident: false
queryFrequency: 5m
status: Available
customDetails:
TimeGenerated: TimeGenerated
LastSeen: LastSeen
FirstSeen: FirstSeen
Description: Description
AlertUID: AlertUID
AssetType: AssetType
Impact: Impact
AssetValue: AssetValue
UID: UID
RiskScore: RiskScore
relevantTechniques:
- T1552.001
- T1555.003
- T1212
- T1119
- T1048
- T1486
alertDetailsOverride:
alertDisplayNameFormat: 'CYFIRMA - High Severity Alert: Critical Data Exposure of Enterprise SSO on Dark Web - {{AlertTitle}} '
alertDescriptionFormat: '{{Description}} '
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: ProviderName
value: ProviderName
triggerOperator: gt
id: c3f1f55b-7e54-4416-8afc-7d7876b29b0f
requiredDataConnectors:
- connectorId: CyfirmaDigitalRiskAlertsConnector
dataTypes:
- CyfirmaDBWMDarkWebAlerts_CL
version: 1.0.0
name: CYFIRMA - Data Breach and Web Monitoring - Dark Web High Rule
eventGroupingSettings:
aggregationKind: AlertPerResult
description: |
"Detects critical alerts from CYFIRMA related to sensitive data or credentials leaked on dark web forums.
These events often indicate unauthorized access or compromise of enterprise systems, cloud environments, or identity platforms.
Immediate investigation is required to assess breach scope and initiate mitigation, including credential resets, access reviews, and threat actor tracking."
query: |
// High severity - Data Breach and Web Monitoring - Dark Web
let timeFrame = 5m;
CyfirmaDBWMDarkWebAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
AssetType=asset_type,
AssetValue=signature,
Impact=impact,
Recommendation='',
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT',
AlertTitle=Alert_title
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
AssetType,
AssetValue,
Impact,
ProductName,
ProviderName,
AlertTitle
tactics:
- CredentialAccess
- Collection
- Exfiltration
- Impact
queryPeriod: 5m
kind: Scheduled
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c3f1f55b-7e54-4416-8afc-7d7876b29b0f')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c3f1f55b-7e54-4416-8afc-7d7876b29b0f')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{Description}} ",
"alertDisplayNameFormat": "CYFIRMA - High Severity Alert: Critical Data Exposure of Enterprise SSO on Dark Web - {{AlertTitle}} ",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "c3f1f55b-7e54-4416-8afc-7d7876b29b0f",
"customDetails": {
"AlertUID": "AlertUID",
"AssetType": "AssetType",
"AssetValue": "AssetValue",
"Description": "Description",
"FirstSeen": "FirstSeen",
"Impact": "Impact",
"LastSeen": "LastSeen",
"RiskScore": "RiskScore",
"TimeGenerated": "TimeGenerated",
"UID": "UID"
},
"description": "\"Detects critical alerts from CYFIRMA related to sensitive data or credentials leaked on dark web forums. \nThese events often indicate unauthorized access or compromise of enterprise systems, cloud environments, or identity platforms. \nImmediate investigation is required to assess breach scope and initiate mitigation, including credential resets, access reviews, and threat actor tracking.\"\n",
"displayName": "CYFIRMA - Data Breach and Web Monitoring - Dark Web High Rule",
"enabled": true,
"entityMappings": null,
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMDarkWebHighRule.yaml",
"query": "// High severity - Data Breach and Web Monitoring - Dark Web\nlet timeFrame = 5m;\nCyfirmaDBWMDarkWebAlerts_CL\n| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())\n| extend\n Description=description,\n FirstSeen=first_seen,\n LastSeen=last_seen,\n RiskScore=risk_score,\n AlertUID=alert_uid,\n UID=uid,\n AssetType=asset_type,\n AssetValue=signature,\n Impact=impact,\n Recommendation='',\n ProviderName='CYFIRMA',\n ProductName='DeCYFIR/DeTCT',\n AlertTitle=Alert_title\n| project\n TimeGenerated,\n Description,\n RiskScore,\n FirstSeen,\n LastSeen,\n AlertUID,\n UID,\n AssetType,\n AssetValue,\n Impact,\n ProductName,\n ProviderName,\n AlertTitle\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"status": "Available",
"subTechniques": [
"T1552.001",
"T1555.003"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Collection",
"CredentialAccess",
"Exfiltration",
"Impact"
],
"techniques": [
"T1048",
"T1119",
"T1212",
"T1486",
"T1552",
"T1555"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}