CYFIRMA - Data Breach and Web Monitoring - Dark Web High Rule
| Id | c3f1f55b-7e54-4416-8afc-7d7876b29b0f |
| Rulename | CYFIRMA - Data Breach and Web Monitoring - Dark Web High Rule |
| Description | “Detects critical alerts from CYFIRMA related to sensitive data or credentials leaked on dark web forums. These events often indicate unauthorized access or compromise of enterprise systems, cloud environments, or identity platforms. Immediate investigation is required to assess breach scope and initiate mitigation, including credential resets, access reviews, and threat actor tracking.” |
| Severity | High |
| Tactics | CredentialAccess Collection Exfiltration Impact |
| Techniques | T1552.001 T1555.003 T1212 T1119 T1048 T1486 |
| Required data connectors | CyfirmaDigitalRiskAlertsConnector |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMDarkWebHighRule.yaml |
| Version | 1.0.0 |
| Arm template | c3f1f55b-7e54-4416-8afc-7d7876b29b0f.json |
// High severity - Data Breach and Web Monitoring - Dark Web
let timeFrame = 5m;
CyfirmaDBWMDarkWebAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
AssetType=asset_type,
AssetValue=signature,
Impact=impact,
Recommendation='',
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT',
AlertTitle=Alert_title
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
AssetType,
AssetValue,
Impact,
ProductName,
ProviderName,
AlertTitle
requiredDataConnectors:
- connectorId: CyfirmaDigitalRiskAlertsConnector
dataTypes:
- CyfirmaDBWMDarkWebAlerts_CL
tactics:
- CredentialAccess
- Collection
- Exfiltration
- Impact
eventGroupingSettings:
aggregationKind: AlertPerResult
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: false
lookbackDuration: 5h
matchingMethod: AllEntities
reopenClosedIncident: false
description: |
"Detects critical alerts from CYFIRMA related to sensitive data or credentials leaked on dark web forums.
These events often indicate unauthorized access or compromise of enterprise systems, cloud environments, or identity platforms.
Immediate investigation is required to assess breach scope and initiate mitigation, including credential resets, access reviews, and threat actor tracking."
query: |
// High severity - Data Breach and Web Monitoring - Dark Web
let timeFrame = 5m;
CyfirmaDBWMDarkWebAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
AssetType=asset_type,
AssetValue=signature,
Impact=impact,
Recommendation='',
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT',
AlertTitle=Alert_title
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
AssetType,
AssetValue,
Impact,
ProductName,
ProviderName,
AlertTitle
id: c3f1f55b-7e54-4416-8afc-7d7876b29b0f
triggerOperator: gt
alertDetailsOverride:
alertDisplayNameFormat: 'CYFIRMA - High Severity Alert: Critical Data Exposure of Enterprise SSO on Dark Web - {{AlertTitle}} '
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: ProviderName
value: ProviderName
alertDescriptionFormat: '{{Description}} '
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMDarkWebHighRule.yaml
queryFrequency: 5m
severity: High
name: CYFIRMA - Data Breach and Web Monitoring - Dark Web High Rule
queryPeriod: 5m
relevantTechniques:
- T1552.001
- T1555.003
- T1212
- T1119
- T1048
- T1486
kind: Scheduled
triggerThreshold: 0
version: 1.0.0
customDetails:
FirstSeen: FirstSeen
AssetValue: AssetValue
Description: Description
TimeGenerated: TimeGenerated
UID: UID
AlertUID: AlertUID
Impact: Impact
RiskScore: RiskScore
LastSeen: LastSeen
AssetType: AssetType
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c3f1f55b-7e54-4416-8afc-7d7876b29b0f')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c3f1f55b-7e54-4416-8afc-7d7876b29b0f')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{Description}} ",
"alertDisplayNameFormat": "CYFIRMA - High Severity Alert: Critical Data Exposure of Enterprise SSO on Dark Web - {{AlertTitle}} ",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "c3f1f55b-7e54-4416-8afc-7d7876b29b0f",
"customDetails": {
"AlertUID": "AlertUID",
"AssetType": "AssetType",
"AssetValue": "AssetValue",
"Description": "Description",
"FirstSeen": "FirstSeen",
"Impact": "Impact",
"LastSeen": "LastSeen",
"RiskScore": "RiskScore",
"TimeGenerated": "TimeGenerated",
"UID": "UID"
},
"description": "\"Detects critical alerts from CYFIRMA related to sensitive data or credentials leaked on dark web forums. \nThese events often indicate unauthorized access or compromise of enterprise systems, cloud environments, or identity platforms. \nImmediate investigation is required to assess breach scope and initiate mitigation, including credential resets, access reviews, and threat actor tracking.\"\n",
"displayName": "CYFIRMA - Data Breach and Web Monitoring - Dark Web High Rule",
"enabled": true,
"entityMappings": null,
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMDarkWebHighRule.yaml",
"query": "// High severity - Data Breach and Web Monitoring - Dark Web\nlet timeFrame = 5m;\nCyfirmaDBWMDarkWebAlerts_CL\n| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())\n| extend\n Description=description,\n FirstSeen=first_seen,\n LastSeen=last_seen,\n RiskScore=risk_score,\n AlertUID=alert_uid,\n UID=uid,\n AssetType=asset_type,\n AssetValue=signature,\n Impact=impact,\n Recommendation='',\n ProviderName='CYFIRMA',\n ProductName='DeCYFIR/DeTCT',\n AlertTitle=Alert_title\n| project\n TimeGenerated,\n Description,\n RiskScore,\n FirstSeen,\n LastSeen,\n AlertUID,\n UID,\n AssetType,\n AssetValue,\n Impact,\n ProductName,\n ProviderName,\n AlertTitle\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"status": "Available",
"subTechniques": [
"T1552.001",
"T1555.003"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Collection",
"CredentialAccess",
"Exfiltration",
"Impact"
],
"techniques": [
"T1048",
"T1119",
"T1212",
"T1486",
"T1552",
"T1555"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}