SpyCloud Enterprise Breach Detection

SpyCloudBreachDataWatchlist_CL
| where Severity_s == '20'
| project TimeGenerated, Document_Id_g, Source_Id_s, SpyCloud_Publish_Date_t, Email_s, Domain_s, Password_s, Password_Plaintext_s, Username_s, IP_Address_s

status: Available
queryFrequency: 12h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SpyCloud Enterprise Protection/Analytic Rules/SpyCloudEnterpriseProtectionBreachRule.yaml
eventGroupingSettings:
  aggregationKind: AlertPerResult
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: 12h
    reopenClosedIncident: false
    matchingMethod: AllEntities
    enabled: true
  createIncident: true
description: |
    'This alert creates an incident when an malware record is detected in the SpyCloud watchlist data'
triggerOperator: gt
sentinelEntitiesMappings: 
customDetails:
  Password_Plaintext: Password_Plaintext_s
  Domain: Domain_s
  PublishDate: SpyCloud_Publish_Date_t
  Source_Id: Source_Id_s
  Document_Id: Document_Id_g
  Password: Password_s
tactics:
- CredentialAccess
alertDetailsOverride: 
queryPeriod: 12h
triggerThreshold: 0
id: cb410ad5-6e9d-4278-b963-1e3af205d680
severity: High
requiredDataConnectors: []
version: 1.0.1
query: |
  SpyCloudBreachDataWatchlist_CL
  | where Severity_s == '20'
  | project TimeGenerated, Document_Id_g, Source_Id_s, SpyCloud_Publish_Date_t, Email_s, Domain_s, Password_s, Password_Plaintext_s, Username_s, IP_Address_s  
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: Email_s
  entityType: Account
- fieldMappings:
  - identifier: Name
    columnName: Username_s
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: IP_Address_s
  entityType: IP
name: SpyCloud Enterprise Breach Detection
suppressionDuration: 5h
relevantTechniques:
- T1555
kind: Scheduled