Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

SpyCloud Enterprise Breach Detection

Back
Idcb410ad5-6e9d-4278-b963-1e3af205d680
RulenameSpyCloud Enterprise Breach Detection
DescriptionThis alert creates an incident when an malware record is detected in the SpyCloud watchlist data
SeverityHigh
TacticsCredentialAccess
TechniquesT1555
KindScheduled
Query frequency12h
Query period12h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SpyCloud Enterprise Protection/Analytic Rules/SpyCloudEnterpriseProtectionBreachRule.yaml
Version1.0.1
Arm templatecb410ad5-6e9d-4278-b963-1e3af205d680.json
Deploy To Azure
SpyCloudBreachDataWatchlist_CL
| where Severity_s == '20'
| project TimeGenerated, Document_Id_g, Source_Id_s, SpyCloud_Publish_Date_t, Email_s, Domain_s, Password_s, Password_Plaintext_s, Username_s, IP_Address_s
tactics:
- CredentialAccess
name: SpyCloud Enterprise Breach Detection
id: cb410ad5-6e9d-4278-b963-1e3af205d680
requiredDataConnectors: []
query: |
  SpyCloudBreachDataWatchlist_CL
  | where Severity_s == '20'
  | project TimeGenerated, Document_Id_g, Source_Id_s, SpyCloud_Publish_Date_t, Email_s, Domain_s, Password_s, Password_Plaintext_s, Username_s, IP_Address_s  
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1555
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    reopenClosedIncident: false
    lookbackDuration: 12h
    enabled: true
description: |
    'This alert creates an incident when an malware record is detected in the SpyCloud watchlist data'
triggerOperator: gt
queryPeriod: 12h
sentinelEntitiesMappings: 
suppressionDuration: 5h
severity: High
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: Email_s
  entityType: Account
- fieldMappings:
  - identifier: Name
    columnName: Username_s
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: IP_Address_s
  entityType: IP
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SpyCloud Enterprise Protection/Analytic Rules/SpyCloudEnterpriseProtectionBreachRule.yaml
version: 1.0.1
alertDetailsOverride: 
triggerThreshold: 0
kind: Scheduled
queryFrequency: 12h
status: Available
customDetails:
  Source_Id: Source_Id_s
  Domain: Domain_s
  Document_Id: Document_Id_g
  Password_Plaintext: Password_Plaintext_s
  PublishDate: SpyCloud_Publish_Date_t
  Password: Password_s
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cb410ad5-6e9d-4278-b963-1e3af205d680')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cb410ad5-6e9d-4278-b963-1e3af205d680')]",
      "properties": {
        "alertDetailsOverride": null,
        "alertRuleTemplateName": "cb410ad5-6e9d-4278-b963-1e3af205d680",
        "customDetails": {
          "Document_Id": "Document_Id_g",
          "Domain": "Domain_s",
          "Password": "Password_s",
          "Password_Plaintext": "Password_Plaintext_s",
          "PublishDate": "SpyCloud_Publish_Date_t",
          "Source_Id": "Source_Id_s"
        },
        "description": "'This alert creates an incident when an malware record is detected in the SpyCloud watchlist data'\n",
        "displayName": "SpyCloud Enterprise Breach Detection",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Email_s",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Username_s",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IP_Address_s",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "PT12H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SpyCloud Enterprise Protection/Analytic Rules/SpyCloudEnterpriseProtectionBreachRule.yaml",
        "query": "SpyCloudBreachDataWatchlist_CL\n| where Severity_s == '20'\n| project TimeGenerated, Document_Id_g, Source_Id_s, SpyCloud_Publish_Date_t, Email_s, Domain_s, Password_s, Password_Plaintext_s, Username_s, IP_Address_s\n",
        "queryFrequency": "PT12H",
        "queryPeriod": "PT12H",
        "sentinelEntitiesMappings": null,
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1555"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}