SpyCloud Enterprise Breach Detection

Back


Id	cb410ad5-6e9d-4278-b963-1e3af205d680
Rulename	SpyCloud Enterprise Breach Detection
Description	This alert creates an incident when an malware record is detected in the SpyCloud watchlist data
Severity	High
Tactics	CredentialAccess
Techniques	T1555
Kind	Scheduled
Query frequency	12h
Query period	12h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SpyCloud Enterprise Protection/Analytic Rules/SpyCloudEnterpriseProtectionBreachRule.yaml
Version	1.0.1
Arm template	cb410ad5-6e9d-4278-b963-1e3af205d680.json

KQL

SpyCloudBreachDataWatchlist_CL
| where Severity_s == '20'
| project TimeGenerated, Document_Id_g, Source_Id_s, SpyCloud_Publish_Date_t, Email_s, Domain_s, Password_s, Password_Plaintext_s, Username_s, IP_Address_s

YAML

name: SpyCloud Enterprise Breach Detection
eventGroupingSettings:
  aggregationKind: AlertPerResult
kind: Scheduled
alertDetailsOverride: 
id: cb410ad5-6e9d-4278-b963-1e3af205d680
requiredDataConnectors: []
severity: High
triggerThreshold: 0
version: 1.0.1
description: |
    'This alert creates an incident when an malware record is detected in the SpyCloud watchlist data'
sentinelEntitiesMappings: 
relevantTechniques:
- T1555
suppressionDuration: 5h
queryPeriod: 12h
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: 12h
tactics:
- CredentialAccess
customDetails:
  PublishDate: SpyCloud_Publish_Date_t
  Source_Id: Source_Id_s
  Password_Plaintext: Password_Plaintext_s
  Document_Id: Document_Id_g
  Domain: Domain_s
  Password: Password_s
queryFrequency: 12h
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: Email_s
  entityType: Account
- fieldMappings:
  - identifier: Name
    columnName: Username_s
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: IP_Address_s
  entityType: IP
status: Available
triggerOperator: gt
query: |
  SpyCloudBreachDataWatchlist_CL
  | where Severity_s == '20'
  | project TimeGenerated, Document_Id_g, Source_Id_s, SpyCloud_Publish_Date_t, Email_s, Domain_s, Password_s, Password_Plaintext_s, Username_s, IP_Address_s  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SpyCloud Enterprise Protection/Analytic Rules/SpyCloudEnterpriseProtectionBreachRule.yaml

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cb410ad5-6e9d-4278-b963-1e3af205d680')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cb410ad5-6e9d-4278-b963-1e3af205d680')]",
      "properties": {
        "alertDetailsOverride": null,
        "alertRuleTemplateName": "cb410ad5-6e9d-4278-b963-1e3af205d680",
        "customDetails": {
          "Document_Id": "Document_Id_g",
          "Domain": "Domain_s",
          "Password": "Password_s",
          "Password_Plaintext": "Password_Plaintext_s",
          "PublishDate": "SpyCloud_Publish_Date_t",
          "Source_Id": "Source_Id_s"
        },
        "description": "'This alert creates an incident when an malware record is detected in the SpyCloud watchlist data'\n",
        "displayName": "SpyCloud Enterprise Breach Detection",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Email_s",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Username_s",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IP_Address_s",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "PT12H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SpyCloud Enterprise Protection/Analytic Rules/SpyCloudEnterpriseProtectionBreachRule.yaml",
        "query": "SpyCloudBreachDataWatchlist_CL\n| where Severity_s == '20'\n| project TimeGenerated, Document_Id_g, Source_Id_s, SpyCloud_Publish_Date_t, Email_s, Domain_s, Password_s, Password_Plaintext_s, Username_s, IP_Address_s\n",
        "queryFrequency": "PT12H",
        "queryPeriod": "PT12H",
        "sentinelEntitiesMappings": null,
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1555"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}