SpyCloudBreachDataWatchlist_CL
| where Severity_s == '20'
| project TimeGenerated, Document_Id_g, Source_Id_s, SpyCloud_Publish_Date_t, Email_s, Domain_s, Password_s, Password_Plaintext_s, Username_s, IP_Address_s
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SpyCloud Enterprise Protection/Analytic Rules/SpyCloudEnterpriseProtectionBreachRule.yaml
version: 1.0.1
suppressionDuration: 5h
queryPeriod: 12h
query: |
SpyCloudBreachDataWatchlist_CL
| where Severity_s == '20'
| project TimeGenerated, Document_Id_g, Source_Id_s, SpyCloud_Publish_Date_t, Email_s, Domain_s, Password_s, Password_Plaintext_s, Username_s, IP_Address_s
kind: Scheduled
name: SpyCloud Enterprise Breach Detection
triggerOperator: gt
severity: High
eventGroupingSettings:
aggregationKind: AlertPerResult
id: cb410ad5-6e9d-4278-b963-1e3af205d680
triggerThreshold: 0
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: Email_s
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Username_s
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IP_Address_s
sentinelEntitiesMappings:
queryFrequency: 12h
alertDetailsOverride:
description: |
'This alert creates an incident when an malware record is detected in the SpyCloud watchlist data'
requiredDataConnectors: []
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
lookbackDuration: 12h
reopenClosedIncident: false
matchingMethod: AllEntities
customDetails:
Source_Id: Source_Id_s
Password: Password_s
Domain: Domain_s
PublishDate: SpyCloud_Publish_Date_t
Document_Id: Document_Id_g
Password_Plaintext: Password_Plaintext_s
relevantTechniques:
- T1555
tactics:
- CredentialAccess
