CYFIRMA - Data Breach and Web Monitoring - Ransomware Exposure Detected Rule

// Medium severity - Data Breach and Web Monitoring - Ransomware Exposure Detected
let timeFrame = 5m;
CyfirmaDBWMRansomwareAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=signature,
    Source=source,
    Impact=impact,
    Recommendation='',
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT',
    AlertTitle=Alert_title,
    ThreatActors= threat_actors
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Source,
    Impact,
    Recommendation,
    ProductName,
    ProviderName,
    AlertTitle,
    ThreatActors

query: |
  // Medium severity - Data Breach and Web Monitoring - Ransomware Exposure Detected
  let timeFrame = 5m;
  CyfirmaDBWMRansomwareAlerts_CL
  | where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=signature,
      Source=source,
      Impact=impact,
      Recommendation='',
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT',
      AlertTitle=Alert_title,
      ThreatActors= threat_actors
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Source,
      Impact,
      Recommendation,
      ProductName,
      ProviderName,
      AlertTitle,
      ThreatActors  
status: Available
eventGroupingSettings:
  aggregationKind: AlertPerResult
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMRansomwareExposureDetectedMediumRule.yaml
requiredDataConnectors:
- dataTypes:
  - CyfirmaDBWMRansomwareAlerts_CL
  connectorId: CyfirmaDigitalRiskAlertsConnector
alertDetailsOverride:
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
  alertDisplayNameFormat: 'CYFIRMA - Medium Severity Alert: Ransomware Exposure Detected - {{AlertTitle}} '
  alertDescriptionFormat: '{{Description}} '
id: d5f9a6fe-7fd2-488c-8690-0ca24fba43dc
tactics:
- InitialAccess
- Exfiltration
queryPeriod: 5m
queryFrequency: 5m
customDetails:
  RiskScore: RiskScore
  UID: UID
  AssetValue: AssetValue
  Source: Source
  TimeGenerated: TimeGenerated
  AlertUID: AlertUID
  LastSeen: LastSeen
  AssetType: AssetType
  Impact: Impact
  ThreatActors: ThreatActors
  FirstSeen: FirstSeen
  Recommendation: Recommendation
  Description: Description
triggerOperator: gt
triggerThreshold: 0
severity: Medium
relevantTechniques:
- T1566.001
- T1566.002
- T1566.003
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
kind: Scheduled
name: CYFIRMA - Data Breach and Web Monitoring - Ransomware Exposure Detected Rule
description: |
  "This analytics rule detects high-severity ransomware threats targeting the organization, as reported by CYFIRMA's Dark Web and Data Breach Intelligence feeds. 
  The alert is generated when threat actors post, claim, or associate ransomware activity with corporate domains, brands, or subsidiaries, indicating a potential data breach, extortion attempt, or unauthorized access."