CYFIRMA - Data Breach and Web Monitoring - Phishing Campaign Detection Rule
| Id | 00c7b41c-ddeb-4c49-acd7-2f7897e27fb4 |
| Rulename | CYFIRMA - Data Breach and Web Monitoring - Phishing Campaign Detection Rule |
| Description | “Detects phishing campaigns targeting enterprise domains, as identified through CYFIRMA’s Data Breach and Dark Web Monitoring. These alerts may include malicious URLs used for credential harvesting, domain impersonation, or social engineering. Immediate triage and takedown actions are recommended.” |
| Severity | Medium |
| Tactics | InitialAccess Exfiltration |
| Techniques | T1566.001 T1566.002 T1566.003 |
| Required data connectors | CyfirmaDigitalRiskAlertsConnector |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMPhishingCampaignDetectionMediumRule.yaml |
| Version | 1.0.1 |
| Arm template | 00c7b41c-ddeb-4c49-acd7-2f7897e27fb4.json |
// Medium severity - Data Breach and Web Monitoring - Phishing Campaign Detection
let timeFrame = 5m;
CyfirmaDBWMPhishingAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
AssetType=asset_type,
AssetValue=signature,
Source=source,
Impact='',
Recommendation='',
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT',
AlertTitle=Alert_title
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
AssetType,
AssetValue,
Source,
Impact,
Recommendation,
ProductName,
ProviderName,
AlertTitle
customDetails:
RiskScore: RiskScore
Recommendation: Recommendation
UID: UID
FirstSeen: FirstSeen
LastSeen: LastSeen
AssetType: AssetType
Impact: Impact
Description: Description
TimeGenerated: TimeGenerated
AlertUID: AlertUID
AssetValue: AssetValue
Source: Source
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMPhishingCampaignDetectionMediumRule.yaml
id: 00c7b41c-ddeb-4c49-acd7-2f7897e27fb4
requiredDataConnectors:
- dataTypes:
- CyfirmaDBWMPhishingAlerts_CL
connectorId: CyfirmaDigitalRiskAlertsConnector
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
enabled: false
matchingMethod: AllEntities
lookbackDuration: PT5H
createIncident: true
relevantTechniques:
- T1566.001
- T1566.002
- T1566.003
kind: Scheduled
name: CYFIRMA - Data Breach and Web Monitoring - Phishing Campaign Detection Rule
query: |
// Medium severity - Data Breach and Web Monitoring - Phishing Campaign Detection
let timeFrame = 5m;
CyfirmaDBWMPhishingAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
AssetType=asset_type,
AssetValue=signature,
Source=source,
Impact='',
Recommendation='',
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT',
AlertTitle=Alert_title
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
AssetType,
AssetValue,
Source,
Impact,
Recommendation,
ProductName,
ProviderName,
AlertTitle
tactics:
- InitialAccess
- Exfiltration
severity: Medium
queryFrequency: 5m
description: |
"Detects phishing campaigns targeting enterprise domains, as identified through CYFIRMA's Data Breach and Dark Web Monitoring.
These alerts may include malicious URLs used for credential harvesting, domain impersonation, or social engineering.
Immediate triage and takedown actions are recommended."
alertDetailsOverride:
alertDisplayNameFormat: 'CYFIRMA - Medium Severity Alert: Phishing Campaign Detection - {{AlertTitle}} '
alertDescriptionFormat: '{{Description}} '
alertDynamicProperties:
- value: ProductName
alertProperty: ProductName
- value: ProviderName
alertProperty: ProviderName
triggerThreshold: 0
triggerOperator: gt
version: 1.0.1
eventGroupingSettings:
aggregationKind: AlertPerResult
queryPeriod: 5m
status: Available