Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. CYFIRMA - Data Breach and Web Monitoring - Phishing Campaign Detection Rule

CYFIRMA - Data Breach and Web Monitoring - Phishing Campaign Detection Rule

Back
Id00c7b41c-ddeb-4c49-acd7-2f7897e27fb4
RulenameCYFIRMA - Data Breach and Web Monitoring - Phishing Campaign Detection Rule
Description“Detects phishing campaigns targeting enterprise domains, as identified through CYFIRMA’s Data Breach and Dark Web Monitoring.

These alerts may include malicious URLs used for credential harvesting, domain impersonation, or social engineering.

Immediate triage and takedown actions are recommended.”
SeverityMedium
TacticsInitialAccess
Exfiltration
TechniquesT1566.001
T1566.002
T1566.003
Required data connectorsCyfirmaDigitalRiskAlertsConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMPhishingCampaignDetectionMediumRule.yaml
Version1.0.1
Arm template00c7b41c-ddeb-4c49-acd7-2f7897e27fb4.json
Deploy To Azure
// Medium severity - Data Breach and Web Monitoring - Phishing Campaign Detection
let timeFrame = 5m;
CyfirmaDBWMPhishingAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=signature,
    Source=source,
    Impact='',
    Recommendation='',
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT',
    AlertTitle=Alert_title
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Source,
    Impact,
    Recommendation,
    ProductName,
    ProviderName,
    AlertTitle

incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: AllEntities
    enabled: false
relevantTechniques:
- T1566.001
- T1566.002
- T1566.003
queryFrequency: 5m
description: |
  "Detects phishing campaigns targeting enterprise domains, as identified through CYFIRMA's Data Breach and Dark Web Monitoring. 
  These alerts may include malicious URLs used for credential harvesting, domain impersonation, or social engineering. 
  Immediate triage and takedown actions are recommended."  
triggerThreshold: 0
id: 00c7b41c-ddeb-4c49-acd7-2f7897e27fb4
name: CYFIRMA - Data Breach and Web Monitoring - Phishing Campaign Detection Rule
queryPeriod: 5m
customDetails:
  TimeGenerated: TimeGenerated
  Recommendation: Recommendation
  Impact: Impact
  Description: Description
  AlertUID: AlertUID
  LastSeen: LastSeen
  Source: Source
  AssetType: AssetType
  RiskScore: RiskScore
  UID: UID
  AssetValue: AssetValue
  FirstSeen: FirstSeen
query: |
  // Medium severity - Data Breach and Web Monitoring - Phishing Campaign Detection
  let timeFrame = 5m;
  CyfirmaDBWMPhishingAlerts_CL
  | where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=signature,
      Source=source,
      Impact='',
      Recommendation='',
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT',
      AlertTitle=Alert_title
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Source,
      Impact,
      Recommendation,
      ProductName,
      ProviderName,
      AlertTitle  
version: 1.0.1
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerOperator: gt
requiredDataConnectors:
- connectorId: CyfirmaDigitalRiskAlertsConnector
  dataTypes:
  - CyfirmaDBWMPhishingAlerts_CL
alertDetailsOverride:
  alertDisplayNameFormat: 'CYFIRMA - Medium Severity Alert:  Phishing Campaign Detection - {{AlertTitle}} '
  alertDescriptionFormat: '{{Description}} '
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMPhishingCampaignDetectionMediumRule.yaml
tactics:
- InitialAccess
- Exfiltration
kind: Scheduled
severity: Medium