CYFIRMA - Data Breach and Web Monitoring - Phishing Campaign Detection Rule
| Id | 00c7b41c-ddeb-4c49-acd7-2f7897e27fb4 |
| Rulename | CYFIRMA - Data Breach and Web Monitoring - Phishing Campaign Detection Rule |
| Description | “Detects phishing campaigns targeting enterprise domains, as identified through CYFIRMA’s Data Breach and Dark Web Monitoring. These alerts may include malicious URLs used for credential harvesting, domain impersonation, or social engineering. Immediate triage and takedown actions are recommended.” |
| Severity | Medium |
| Tactics | InitialAccess Exfiltration |
| Techniques | T1566.001 T1566.002 T1566.003 |
| Required data connectors | CyfirmaDigitalRiskAlertsConnector |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMPhishingCampaignDetectionMediumRule.yaml |
| Version | 1.0.1 |
| Arm template | 00c7b41c-ddeb-4c49-acd7-2f7897e27fb4.json |
// Medium severity - Data Breach and Web Monitoring - Phishing Campaign Detection
let timeFrame = 5m;
CyfirmaDBWMPhishingAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
AssetType=asset_type,
AssetValue=signature,
Source=source,
Impact='',
Recommendation='',
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT',
AlertTitle=Alert_title
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
AssetType,
AssetValue,
Source,
Impact,
Recommendation,
ProductName,
ProviderName,
AlertTitle
queryFrequency: 5m
incidentConfiguration:
groupingConfiguration:
enabled: false
lookbackDuration: PT5H
reopenClosedIncident: false
matchingMethod: AllEntities
createIncident: true
triggerThreshold: 0
eventGroupingSettings:
aggregationKind: AlertPerResult
name: CYFIRMA - Data Breach and Web Monitoring - Phishing Campaign Detection Rule
version: 1.0.1
relevantTechniques:
- T1566.001
- T1566.002
- T1566.003
customDetails:
Impact: Impact
UID: UID
Source: Source
FirstSeen: FirstSeen
AssetType: AssetType
RiskScore: RiskScore
AlertUID: AlertUID
LastSeen: LastSeen
Recommendation: Recommendation
AssetValue: AssetValue
TimeGenerated: TimeGenerated
Description: Description
id: 00c7b41c-ddeb-4c49-acd7-2f7897e27fb4
query: |
// Medium severity - Data Breach and Web Monitoring - Phishing Campaign Detection
let timeFrame = 5m;
CyfirmaDBWMPhishingAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
AssetType=asset_type,
AssetValue=signature,
Source=source,
Impact='',
Recommendation='',
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT',
AlertTitle=Alert_title
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
AssetType,
AssetValue,
Source,
Impact,
Recommendation,
ProductName,
ProviderName,
AlertTitle
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMPhishingCampaignDetectionMediumRule.yaml
alertDetailsOverride:
alertDynamicProperties:
- value: ProductName
alertProperty: ProductName
- value: ProviderName
alertProperty: ProviderName
alertDisplayNameFormat: 'CYFIRMA - Medium Severity Alert: Phishing Campaign Detection - {{AlertTitle}} '
alertDescriptionFormat: '{{Description}} '
queryPeriod: 5m
tactics:
- InitialAccess
- Exfiltration
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
- CyfirmaDBWMPhishingAlerts_CL
connectorId: CyfirmaDigitalRiskAlertsConnector
status: Available
kind: Scheduled
description: |
"Detects phishing campaigns targeting enterprise domains, as identified through CYFIRMA's Data Breach and Dark Web Monitoring.
These alerts may include malicious URLs used for credential harvesting, domain impersonation, or social engineering.
Immediate triage and takedown actions are recommended."