Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CYFIRMA - Data Breach and Web Monitoring - Dark Web High Rule

Back
Idc3f1f55b-7e54-4416-8afc-7d7876b29b0f
RulenameCYFIRMA - Data Breach and Web Monitoring - Dark Web High Rule
Description“Detects critical alerts from CYFIRMA related to sensitive data or credentials leaked on dark web forums.

These events often indicate unauthorized access or compromise of enterprise systems, cloud environments, or identity platforms.

Immediate investigation is required to assess breach scope and initiate mitigation, including credential resets, access reviews, and threat actor tracking.”
SeverityHigh
TacticsCredentialAccess
Collection
Exfiltration
Impact
TechniquesT1552.001
T1555.003
T1212
T1119
T1048
T1486
Required data connectorsCyfirmaDigitalRiskAlertsConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMDarkWebHighRule.yaml
Version1.0.0
Arm templatec3f1f55b-7e54-4416-8afc-7d7876b29b0f.json
Deploy To Azure
// High severity - Data Breach and Web Monitoring - Dark Web
let timeFrame = 5m;
CyfirmaDBWMDarkWebAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=signature,
    Impact=impact,
    Recommendation='',
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT',
    AlertTitle=Alert_title
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Impact,
    ProductName,
    ProviderName,
    AlertTitle
tactics:
- CredentialAccess
- Collection
- Exfiltration
- Impact
name: CYFIRMA - Data Breach and Web Monitoring - Dark Web High Rule
id: c3f1f55b-7e54-4416-8afc-7d7876b29b0f
requiredDataConnectors:
- connectorId: CyfirmaDigitalRiskAlertsConnector
  dataTypes:
  - CyfirmaDBWMDarkWebAlerts_CL
query: |
  // High severity - Data Breach and Web Monitoring - Dark Web
  let timeFrame = 5m;
  CyfirmaDBWMDarkWebAlerts_CL
  | where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=signature,
      Impact=impact,
      Recommendation='',
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT',
      AlertTitle=Alert_title
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Impact,
      ProductName,
      ProviderName,
      AlertTitle  
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1552.001
- T1555.003
- T1212
- T1119
- T1048
- T1486
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    reopenClosedIncident: false
    lookbackDuration: 5h
    enabled: false
description: |
  "Detects critical alerts from CYFIRMA related to sensitive data or credentials leaked on dark web forums. 
  These events often indicate unauthorized access or compromise of enterprise systems, cloud environments, or identity platforms. 
  Immediate investigation is required to assess breach scope and initiate mitigation, including credential resets, access reviews, and threat actor tracking."  
triggerOperator: gt
queryPeriod: 5m
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMDarkWebHighRule.yaml
version: 1.0.0
alertDetailsOverride:
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
  alertDisplayNameFormat: 'CYFIRMA - High Severity Alert: Critical Data Exposure of Enterprise SSO on Dark Web - {{AlertTitle}} '
  alertDescriptionFormat: '{{Description}} '
triggerThreshold: 0
queryFrequency: 5m
kind: Scheduled
status: Available
customDetails:
  RiskScore: RiskScore
  AssetType: AssetType
  FirstSeen: FirstSeen
  Impact: Impact
  TimeGenerated: TimeGenerated
  AssetValue: AssetValue
  Description: Description
  LastSeen: LastSeen
  AlertUID: AlertUID
  UID: UID
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c3f1f55b-7e54-4416-8afc-7d7876b29b0f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c3f1f55b-7e54-4416-8afc-7d7876b29b0f')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{Description}} ",
          "alertDisplayNameFormat": "CYFIRMA - High Severity Alert: Critical Data Exposure of Enterprise SSO on Dark Web - {{AlertTitle}} ",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            },
            {
              "alertProperty": "ProviderName",
              "value": "ProviderName"
            }
          ]
        },
        "alertRuleTemplateName": "c3f1f55b-7e54-4416-8afc-7d7876b29b0f",
        "customDetails": {
          "AlertUID": "AlertUID",
          "AssetType": "AssetType",
          "AssetValue": "AssetValue",
          "Description": "Description",
          "FirstSeen": "FirstSeen",
          "Impact": "Impact",
          "LastSeen": "LastSeen",
          "RiskScore": "RiskScore",
          "TimeGenerated": "TimeGenerated",
          "UID": "UID"
        },
        "description": "\"Detects critical alerts from CYFIRMA related to sensitive data or credentials leaked on dark web forums. \nThese events often indicate unauthorized access or compromise of enterprise systems, cloud environments, or identity platforms. \nImmediate investigation is required to assess breach scope and initiate mitigation, including credential resets, access reviews, and threat actor tracking.\"\n",
        "displayName": "CYFIRMA - Data Breach and Web Monitoring - Dark Web High Rule",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMDarkWebHighRule.yaml",
        "query": "// High severity - Data Breach and Web Monitoring - Dark Web\nlet timeFrame = 5m;\nCyfirmaDBWMDarkWebAlerts_CL\n| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())\n| extend\n    Description=description,\n    FirstSeen=first_seen,\n    LastSeen=last_seen,\n    RiskScore=risk_score,\n    AlertUID=alert_uid,\n    UID=uid,\n    AssetType=asset_type,\n    AssetValue=signature,\n    Impact=impact,\n    Recommendation='',\n    ProviderName='CYFIRMA',\n    ProductName='DeCYFIR/DeTCT',\n    AlertTitle=Alert_title\n| project\n    TimeGenerated,\n    Description,\n    RiskScore,\n    FirstSeen,\n    LastSeen,\n    AlertUID,\n    UID,\n    AssetType,\n    AssetValue,\n    Impact,\n    ProductName,\n    ProviderName,\n    AlertTitle\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [
          "T1552.001",
          "T1555.003"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "CredentialAccess",
          "Exfiltration",
          "Impact"
        ],
        "techniques": [
          "T1048",
          "T1119",
          "T1212",
          "T1486",
          "T1552",
          "T1555"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}