CYFIRMA - Data Breach and Web Monitoring - Ransomware Exposure Detected Rule

// Medium severity - Data Breach and Web Monitoring - Ransomware Exposure Detected
let timeFrame = 5m;
CyfirmaDBWMRansomwareAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=signature,
    Source=source,
    Impact=impact,
    Recommendation='',
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT',
    AlertTitle=Alert_title,
    ThreatActors= threat_actors
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Source,
    Impact,
    Recommendation,
    ProductName,
    ProviderName,
    AlertTitle,
    ThreatActors

name: CYFIRMA - Data Breach and Web Monitoring - Ransomware Exposure Detected Rule
alertDetailsOverride:
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
  alertDisplayNameFormat: 'CYFIRMA - Medium Severity Alert: Ransomware Exposure Detected - {{AlertTitle}} '
  alertDescriptionFormat: '{{Description}} '
version: 1.0.1
triggerThreshold: 0
id: d5f9a6fe-7fd2-488c-8690-0ca24fba43dc
triggerOperator: gt
query: |
  // Medium severity - Data Breach and Web Monitoring - Ransomware Exposure Detected
  let timeFrame = 5m;
  CyfirmaDBWMRansomwareAlerts_CL
  | where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=signature,
      Source=source,
      Impact=impact,
      Recommendation='',
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT',
      AlertTitle=Alert_title,
      ThreatActors= threat_actors
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Source,
      Impact,
      Recommendation,
      ProductName,
      ProviderName,
      AlertTitle,
      ThreatActors  
description: |
  "This analytics rule detects high-severity ransomware threats targeting the organization, as reported by CYFIRMA's Dark Web and Data Breach Intelligence feeds. 
  The alert is generated when threat actors post, claim, or associate ransomware activity with corporate domains, brands, or subsidiaries, indicating a potential data breach, extortion attempt, or unauthorized access."  
kind: Scheduled
queryFrequency: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMRansomwareExposureDetectedMediumRule.yaml
severity: Medium
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: PT5H
    reopenClosedIncident: false
    matchingMethod: AllEntities
    enabled: false
queryPeriod: 5m
requiredDataConnectors:
- dataTypes:
  - CyfirmaDBWMRansomwareAlerts_CL
  connectorId: CyfirmaDigitalRiskAlertsConnector
status: Available
customDetails:
  Impact: Impact
  AssetValue: AssetValue
  UID: UID
  LastSeen: LastSeen
  AlertUID: AlertUID
  FirstSeen: FirstSeen
  RiskScore: RiskScore
  Description: Description
  Source: Source
  TimeGenerated: TimeGenerated
  AssetType: AssetType
  Recommendation: Recommendation
  ThreatActors: ThreatActors
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1566.001
- T1566.002
- T1566.003
tactics:
- InitialAccess
- Exfiltration