CYFIRMA - Data Breach and Web Monitoring - Ransomware Exposure Detected Rule
| Id | ed1aabc1-e1c1-42f4-abac-fd5637730f13 |
| Rulename | CYFIRMA - Data Breach and Web Monitoring - Ransomware Exposure Detected Rule |
| Description | “This analytics rule detects high-severity ransomware threats targeting the organization, as reported by CYFIRMA’s Dark Web and Data Breach Intelligence feeds. The alert is generated when threat actors post, claim, or associate ransomware activity with corporate domains, brands, or subsidiaries, indicating a potential data breach, extortion attempt, or unauthorized access.” |
| Severity | High |
| Tactics | InitialAccess Exfiltration |
| Techniques | T1566.001 T1566.002 T1566.003 |
| Required data connectors | CyfirmaDigitalRiskAlertsConnector |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMRansomwareExposureDetectedHighRule.yaml |
| Version | 1.0.0 |
| Arm template | ed1aabc1-e1c1-42f4-abac-fd5637730f13.json |
// High severity - Data Breach and Web Monitoring - Ransomware Exposure Detected
let timeFrame = 5m;
CyfirmaDBWMRansomwareAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
AssetType=asset_type,
AssetValue=signature,
Source=source,
Impact=impact,
Recommendation='',
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT',
AlertTitle=Alert_title,
ThreatActors= threat_actors
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
AssetType,
AssetValue,
Source,
Impact,
Recommendation,
ProductName,
ProviderName,
AlertTitle,
ThreatActors
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMRansomwareExposureDetectedHighRule.yaml
triggerThreshold: 0
severity: High
incidentConfiguration:
createIncident: true
groupingConfiguration:
lookbackDuration: 5h
enabled: false
matchingMethod: AllEntities
reopenClosedIncident: false
queryFrequency: 5m
status: Available
customDetails:
TimeGenerated: TimeGenerated
FirstSeen: FirstSeen
Recommendation: Recommendation
RiskScore: RiskScore
AssetType: AssetType
LastSeen: LastSeen
Source: Source
Impact: Impact
ThreatActors: ThreatActors
AlertUID: AlertUID
Description: Description
AssetValue: AssetValue
UID: UID
relevantTechniques:
- T1566.001
- T1566.002
- T1566.003
alertDetailsOverride:
alertDisplayNameFormat: 'CYFIRMA - High Severity Alert: Ransomware Exposure Detected - {{AlertTitle}} '
alertDescriptionFormat: '{{Description}} '
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: ProviderName
value: ProviderName
triggerOperator: gt
id: ed1aabc1-e1c1-42f4-abac-fd5637730f13
requiredDataConnectors:
- connectorId: CyfirmaDigitalRiskAlertsConnector
dataTypes:
- CyfirmaDBWMRansomwareAlerts_CL
version: 1.0.0
name: CYFIRMA - Data Breach and Web Monitoring - Ransomware Exposure Detected Rule
eventGroupingSettings:
aggregationKind: AlertPerResult
description: |
"This analytics rule detects high-severity ransomware threats targeting the organization, as reported by CYFIRMA's Dark Web and Data Breach Intelligence feeds.
The alert is generated when threat actors post, claim, or associate ransomware activity with corporate domains, brands, or subsidiaries, indicating a potential data breach, extortion attempt, or unauthorized access."
query: |
// High severity - Data Breach and Web Monitoring - Ransomware Exposure Detected
let timeFrame = 5m;
CyfirmaDBWMRansomwareAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
AssetType=asset_type,
AssetValue=signature,
Source=source,
Impact=impact,
Recommendation='',
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT',
AlertTitle=Alert_title,
ThreatActors= threat_actors
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
AssetType,
AssetValue,
Source,
Impact,
Recommendation,
ProductName,
ProviderName,
AlertTitle,
ThreatActors
tactics:
- InitialAccess
- Exfiltration
queryPeriod: 5m
kind: Scheduled
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ed1aabc1-e1c1-42f4-abac-fd5637730f13')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ed1aabc1-e1c1-42f4-abac-fd5637730f13')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{Description}} ",
"alertDisplayNameFormat": "CYFIRMA - High Severity Alert: Ransomware Exposure Detected - {{AlertTitle}} ",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "ed1aabc1-e1c1-42f4-abac-fd5637730f13",
"customDetails": {
"AlertUID": "AlertUID",
"AssetType": "AssetType",
"AssetValue": "AssetValue",
"Description": "Description",
"FirstSeen": "FirstSeen",
"Impact": "Impact",
"LastSeen": "LastSeen",
"Recommendation": "Recommendation",
"RiskScore": "RiskScore",
"Source": "Source",
"ThreatActors": "ThreatActors",
"TimeGenerated": "TimeGenerated",
"UID": "UID"
},
"description": "\"This analytics rule detects high-severity ransomware threats targeting the organization, as reported by CYFIRMA's Dark Web and Data Breach Intelligence feeds. \nThe alert is generated when threat actors post, claim, or associate ransomware activity with corporate domains, brands, or subsidiaries, indicating a potential data breach, extortion attempt, or unauthorized access.\"\n",
"displayName": "CYFIRMA - Data Breach and Web Monitoring - Ransomware Exposure Detected Rule",
"enabled": true,
"entityMappings": null,
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMRansomwareExposureDetectedHighRule.yaml",
"query": "// High severity - Data Breach and Web Monitoring - Ransomware Exposure Detected\nlet timeFrame = 5m;\nCyfirmaDBWMRansomwareAlerts_CL\n| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())\n| extend\n Description=description,\n FirstSeen=first_seen,\n LastSeen=last_seen,\n RiskScore=risk_score,\n AlertUID=alert_uid,\n UID=uid,\n AssetType=asset_type,\n AssetValue=signature,\n Source=source,\n Impact=impact,\n Recommendation='',\n ProviderName='CYFIRMA',\n ProductName='DeCYFIR/DeTCT',\n AlertTitle=Alert_title,\n ThreatActors= threat_actors\n| project\n TimeGenerated,\n Description,\n RiskScore,\n FirstSeen,\n LastSeen,\n AlertUID,\n UID,\n AssetType,\n AssetValue,\n Source,\n Impact,\n Recommendation,\n ProductName,\n ProviderName,\n AlertTitle,\n ThreatActors\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"status": "Available",
"subTechniques": [
"T1566.001",
"T1566.002",
"T1566.003"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Exfiltration",
"InitialAccess"
],
"techniques": [
"T1566"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}