CYFIRMA - Data Breach and Web Monitoring - Ransomware Exposure Detected Rule

// High severity - Data Breach and Web Monitoring - Ransomware Exposure Detected
let timeFrame = 5m;
CyfirmaDBWMRansomwareAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=signature,
    Source=source,
    Impact=impact,
    Recommendation='',
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT',
    AlertTitle=Alert_title,
    ThreatActors= threat_actors
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Source,
    Impact,
    Recommendation,
    ProductName,
    ProviderName,
    AlertTitle,
    ThreatActors

relevantTechniques:
- T1566.001
- T1566.002
- T1566.003
queryPeriod: 5m
triggerOperator: gt
eventGroupingSettings:
  aggregationKind: AlertPerResult
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMRansomwareExposureDetectedHighRule.yaml
description: |
  "This analytics rule detects high-severity ransomware threats targeting the organization, as reported by CYFIRMA's Dark Web and Data Breach Intelligence feeds. 
  The alert is generated when threat actors post, claim, or associate ransomware activity with corporate domains, brands, or subsidiaries, indicating a potential data breach, extortion attempt, or unauthorized access."  
tactics:
- InitialAccess
- Exfiltration
severity: High
status: Available
kind: Scheduled
triggerThreshold: 0
queryFrequency: 5m
alertDetailsOverride:
  alertDisplayNameFormat: 'CYFIRMA - High Severity Alert: Ransomware Exposure Detected - {{AlertTitle}} '
  alertDescriptionFormat: '{{Description}} '
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
requiredDataConnectors:
- dataTypes:
  - CyfirmaDBWMRansomwareAlerts_CL
  connectorId: CyfirmaDigitalRiskAlertsConnector
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
id: ed1aabc1-e1c1-42f4-abac-fd5637730f13
customDetails:
  FirstSeen: FirstSeen
  UID: UID
  Source: Source
  Description: Description
  AlertUID: AlertUID
  Impact: Impact
  ThreatActors: ThreatActors
  AssetValue: AssetValue
  AssetType: AssetType
  RiskScore: RiskScore
  TimeGenerated: TimeGenerated
  LastSeen: LastSeen
  Recommendation: Recommendation
query: |
  // High severity - Data Breach and Web Monitoring - Ransomware Exposure Detected
  let timeFrame = 5m;
  CyfirmaDBWMRansomwareAlerts_CL
  | where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=signature,
      Source=source,
      Impact=impact,
      Recommendation='',
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT',
      AlertTitle=Alert_title,
      ThreatActors= threat_actors
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Source,
      Impact,
      Recommendation,
      ProductName,
      ProviderName,
      AlertTitle,
      ThreatActors  
name: CYFIRMA - Data Breach and Web Monitoring - Ransomware Exposure Detected Rule