CYFIRMA - Data Breach and Web Monitoring - Phishing Campaign Detection Rule

// Medium severity - Data Breach and Web Monitoring - Phishing Campaign Detection
let timeFrame = 5m;
CyfirmaDBWMPhishingAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=signature,
    Source=source,
    Impact='',
    Recommendation='',
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT',
    AlertTitle=Alert_title
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Source,
    Impact,
    Recommendation,
    ProductName,
    ProviderName,
    AlertTitle

name: CYFIRMA - Data Breach and Web Monitoring - Phishing Campaign Detection Rule
alertDetailsOverride:
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
  alertDisplayNameFormat: 'CYFIRMA - Medium Severity Alert:  Phishing Campaign Detection - {{AlertTitle}} '
  alertDescriptionFormat: '{{Description}} '
version: 1.0.1
triggerThreshold: 0
id: 00c7b41c-ddeb-4c49-acd7-2f7897e27fb4
triggerOperator: gt
query: |
  // Medium severity - Data Breach and Web Monitoring - Phishing Campaign Detection
  let timeFrame = 5m;
  CyfirmaDBWMPhishingAlerts_CL
  | where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=signature,
      Source=source,
      Impact='',
      Recommendation='',
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT',
      AlertTitle=Alert_title
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Source,
      Impact,
      Recommendation,
      ProductName,
      ProviderName,
      AlertTitle  
description: |
  "Detects phishing campaigns targeting enterprise domains, as identified through CYFIRMA's Data Breach and Dark Web Monitoring. 
  These alerts may include malicious URLs used for credential harvesting, domain impersonation, or social engineering. 
  Immediate triage and takedown actions are recommended."  
kind: Scheduled
queryFrequency: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMPhishingCampaignDetectionMediumRule.yaml
severity: Medium
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: PT5H
    reopenClosedIncident: false
    matchingMethod: AllEntities
    enabled: false
queryPeriod: 5m
requiredDataConnectors:
- dataTypes:
  - CyfirmaDBWMPhishingAlerts_CL
  connectorId: CyfirmaDigitalRiskAlertsConnector
status: Available
customDetails:
  Impact: Impact
  AssetValue: AssetValue
  UID: UID
  LastSeen: LastSeen
  AlertUID: AlertUID
  FirstSeen: FirstSeen
  RiskScore: RiskScore
  Description: Description
  Source: Source
  TimeGenerated: TimeGenerated
  AssetType: AssetType
  Recommendation: Recommendation
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1566.001
- T1566.002
- T1566.003
tactics:
- InitialAccess
- Exfiltration