CYFIRMA - Data Breach and Web Monitoring - Ransomware Exposure Detected Rule
| Id | ed1aabc1-e1c1-42f4-abac-fd5637730f13 |
| Rulename | CYFIRMA - Data Breach and Web Monitoring - Ransomware Exposure Detected Rule |
| Description | “This analytics rule detects high-severity ransomware threats targeting the organization, as reported by CYFIRMA’s Dark Web and Data Breach Intelligence feeds. The alert is generated when threat actors post, claim, or associate ransomware activity with corporate domains, brands, or subsidiaries, indicating a potential data breach, extortion attempt, or unauthorized access.” |
| Severity | High |
| Tactics | InitialAccess Exfiltration |
| Techniques | T1566.001 T1566.002 T1566.003 |
| Required data connectors | CyfirmaDigitalRiskAlertsConnector |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMRansomwareExposureDetectedHighRule.yaml |
| Version | 1.0.0 |
| Arm template | ed1aabc1-e1c1-42f4-abac-fd5637730f13.json |
// High severity - Data Breach and Web Monitoring - Ransomware Exposure Detected
let timeFrame = 5m;
CyfirmaDBWMRansomwareAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
AssetType=asset_type,
AssetValue=signature,
Source=source,
Impact=impact,
Recommendation='',
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT',
AlertTitle=Alert_title,
ThreatActors= threat_actors
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
AssetType,
AssetValue,
Source,
Impact,
Recommendation,
ProductName,
ProviderName,
AlertTitle,
ThreatActors
tactics:
- InitialAccess
- Exfiltration
name: CYFIRMA - Data Breach and Web Monitoring - Ransomware Exposure Detected Rule
id: ed1aabc1-e1c1-42f4-abac-fd5637730f13
requiredDataConnectors:
- connectorId: CyfirmaDigitalRiskAlertsConnector
dataTypes:
- CyfirmaDBWMRansomwareAlerts_CL
query: |
// High severity - Data Breach and Web Monitoring - Ransomware Exposure Detected
let timeFrame = 5m;
CyfirmaDBWMRansomwareAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
AssetType=asset_type,
AssetValue=signature,
Source=source,
Impact=impact,
Recommendation='',
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT',
AlertTitle=Alert_title,
ThreatActors= threat_actors
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
AssetType,
AssetValue,
Source,
Impact,
Recommendation,
ProductName,
ProviderName,
AlertTitle,
ThreatActors
eventGroupingSettings:
aggregationKind: AlertPerResult
relevantTechniques:
- T1566.001
- T1566.002
- T1566.003
incidentConfiguration:
createIncident: true
groupingConfiguration:
matchingMethod: AllEntities
reopenClosedIncident: false
lookbackDuration: 5h
enabled: false
description: |
"This analytics rule detects high-severity ransomware threats targeting the organization, as reported by CYFIRMA's Dark Web and Data Breach Intelligence feeds.
The alert is generated when threat actors post, claim, or associate ransomware activity with corporate domains, brands, or subsidiaries, indicating a potential data breach, extortion attempt, or unauthorized access."
triggerOperator: gt
queryPeriod: 5m
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMRansomwareExposureDetectedHighRule.yaml
version: 1.0.0
alertDetailsOverride:
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: ProviderName
value: ProviderName
alertDisplayNameFormat: 'CYFIRMA - High Severity Alert: Ransomware Exposure Detected - {{AlertTitle}} '
alertDescriptionFormat: '{{Description}} '
triggerThreshold: 0
queryFrequency: 5m
kind: Scheduled
status: Available
customDetails:
Source: Source
Impact: Impact
AssetType: AssetType
AssetValue: AssetValue
ThreatActors: ThreatActors
Recommendation: Recommendation
Description: Description
AlertUID: AlertUID
TimeGenerated: TimeGenerated
UID: UID
LastSeen: LastSeen
RiskScore: RiskScore
FirstSeen: FirstSeen
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ed1aabc1-e1c1-42f4-abac-fd5637730f13')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ed1aabc1-e1c1-42f4-abac-fd5637730f13')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{Description}} ",
"alertDisplayNameFormat": "CYFIRMA - High Severity Alert: Ransomware Exposure Detected - {{AlertTitle}} ",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "ed1aabc1-e1c1-42f4-abac-fd5637730f13",
"customDetails": {
"AlertUID": "AlertUID",
"AssetType": "AssetType",
"AssetValue": "AssetValue",
"Description": "Description",
"FirstSeen": "FirstSeen",
"Impact": "Impact",
"LastSeen": "LastSeen",
"Recommendation": "Recommendation",
"RiskScore": "RiskScore",
"Source": "Source",
"ThreatActors": "ThreatActors",
"TimeGenerated": "TimeGenerated",
"UID": "UID"
},
"description": "\"This analytics rule detects high-severity ransomware threats targeting the organization, as reported by CYFIRMA's Dark Web and Data Breach Intelligence feeds. \nThe alert is generated when threat actors post, claim, or associate ransomware activity with corporate domains, brands, or subsidiaries, indicating a potential data breach, extortion attempt, or unauthorized access.\"\n",
"displayName": "CYFIRMA - Data Breach and Web Monitoring - Ransomware Exposure Detected Rule",
"enabled": true,
"entityMappings": null,
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMRansomwareExposureDetectedHighRule.yaml",
"query": "// High severity - Data Breach and Web Monitoring - Ransomware Exposure Detected\nlet timeFrame = 5m;\nCyfirmaDBWMRansomwareAlerts_CL\n| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())\n| extend\n Description=description,\n FirstSeen=first_seen,\n LastSeen=last_seen,\n RiskScore=risk_score,\n AlertUID=alert_uid,\n UID=uid,\n AssetType=asset_type,\n AssetValue=signature,\n Source=source,\n Impact=impact,\n Recommendation='',\n ProviderName='CYFIRMA',\n ProductName='DeCYFIR/DeTCT',\n AlertTitle=Alert_title,\n ThreatActors= threat_actors\n| project\n TimeGenerated,\n Description,\n RiskScore,\n FirstSeen,\n LastSeen,\n AlertUID,\n UID,\n AssetType,\n AssetValue,\n Source,\n Impact,\n Recommendation,\n ProductName,\n ProviderName,\n AlertTitle,\n ThreatActors\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"status": "Available",
"subTechniques": [
"T1566.001",
"T1566.002",
"T1566.003"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Exfiltration",
"InitialAccess"
],
"techniques": [
"T1566"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}