CYFIRMA - Data Breach and Web Monitoring - Ransomware Exposure Detected Rule

// High severity - Data Breach and Web Monitoring - Ransomware Exposure Detected
let timeFrame = 5m;
CyfirmaDBWMRansomwareAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=signature,
    Source=source,
    Impact=impact,
    Recommendation='',
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT',
    AlertTitle=Alert_title,
    ThreatActors= threat_actors
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Source,
    Impact,
    Recommendation,
    ProductName,
    ProviderName,
    AlertTitle,
    ThreatActors

version: 1.0.1
relevantTechniques:
- T1566.001
- T1566.002
- T1566.003
triggerThreshold: 0
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMRansomwareExposureDetectedHighRule.yaml
queryPeriod: 5m
query: |
  // High severity - Data Breach and Web Monitoring - Ransomware Exposure Detected
  let timeFrame = 5m;
  CyfirmaDBWMRansomwareAlerts_CL
  | where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=signature,
      Source=source,
      Impact=impact,
      Recommendation='',
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT',
      AlertTitle=Alert_title,
      ThreatActors= threat_actors
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Source,
      Impact,
      Recommendation,
      ProductName,
      ProviderName,
      AlertTitle,
      ThreatActors  
id: ed1aabc1-e1c1-42f4-abac-fd5637730f13
customDetails:
  AssetType: AssetType
  TimeGenerated: TimeGenerated
  Impact: Impact
  ThreatActors: ThreatActors
  LastSeen: LastSeen
  FirstSeen: FirstSeen
  UID: UID
  AlertUID: AlertUID
  AssetValue: AssetValue
  Recommendation: Recommendation
  Description: Description
  RiskScore: RiskScore
  Source: Source
name: CYFIRMA - Data Breach and Web Monitoring - Ransomware Exposure Detected Rule
kind: Scheduled
tactics:
- InitialAccess
- Exfiltration
description: |
  "This analytics rule detects high-severity ransomware threats targeting the organization, as reported by CYFIRMA's Dark Web and Data Breach Intelligence feeds. 
  The alert is generated when threat actors post, claim, or associate ransomware activity with corporate domains, brands, or subsidiaries, indicating a potential data breach, extortion attempt, or unauthorized access."  
triggerOperator: gt
alertDetailsOverride:
  alertDisplayNameFormat: 'CYFIRMA - High Severity Alert: Ransomware Exposure Detected - {{AlertTitle}} '
  alertDescriptionFormat: '{{Description}} '
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
eventGroupingSettings:
  aggregationKind: AlertPerResult
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: PT5H
    enabled: false
    matchingMethod: AllEntities
    reopenClosedIncident: false
  createIncident: true
requiredDataConnectors:
- connectorId: CyfirmaDigitalRiskAlertsConnector
  dataTypes:
  - CyfirmaDBWMRansomwareAlerts_CL
queryFrequency: 5m
status: Available