CYFIRMA - Data Breach and Web Monitoring - Phishing Campaign Detection Rule

// Medium severity - Data Breach and Web Monitoring - Phishing Campaign Detection
let timeFrame = 5m;
CyfirmaDBWMPhishingAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=signature,
    Source=source,
    Impact='',
    Recommendation='',
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT',
    AlertTitle=Alert_title
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Source,
    Impact,
    Recommendation,
    ProductName,
    ProviderName,
    AlertTitle

version: 1.0.1
relevantTechniques:
- T1566.001
- T1566.002
- T1566.003
triggerThreshold: 0
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMPhishingCampaignDetectionMediumRule.yaml
queryPeriod: 5m
query: |
  // Medium severity - Data Breach and Web Monitoring - Phishing Campaign Detection
  let timeFrame = 5m;
  CyfirmaDBWMPhishingAlerts_CL
  | where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=signature,
      Source=source,
      Impact='',
      Recommendation='',
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT',
      AlertTitle=Alert_title
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Source,
      Impact,
      Recommendation,
      ProductName,
      ProviderName,
      AlertTitle  
id: 00c7b41c-ddeb-4c49-acd7-2f7897e27fb4
customDetails:
  AssetType: AssetType
  TimeGenerated: TimeGenerated
  Impact: Impact
  LastSeen: LastSeen
  FirstSeen: FirstSeen
  UID: UID
  AlertUID: AlertUID
  AssetValue: AssetValue
  Recommendation: Recommendation
  Description: Description
  RiskScore: RiskScore
  Source: Source
name: CYFIRMA - Data Breach and Web Monitoring - Phishing Campaign Detection Rule
kind: Scheduled
tactics:
- InitialAccess
- Exfiltration
description: |
  "Detects phishing campaigns targeting enterprise domains, as identified through CYFIRMA's Data Breach and Dark Web Monitoring. 
  These alerts may include malicious URLs used for credential harvesting, domain impersonation, or social engineering. 
  Immediate triage and takedown actions are recommended."  
triggerOperator: gt
alertDetailsOverride:
  alertDisplayNameFormat: 'CYFIRMA - Medium Severity Alert:  Phishing Campaign Detection - {{AlertTitle}} '
  alertDescriptionFormat: '{{Description}} '
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
eventGroupingSettings:
  aggregationKind: AlertPerResult
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: PT5H
    enabled: false
    matchingMethod: AllEntities
    reopenClosedIncident: false
  createIncident: true
requiredDataConnectors:
- connectorId: CyfirmaDigitalRiskAlertsConnector
  dataTypes:
  - CyfirmaDBWMPhishingAlerts_CL
queryFrequency: 5m
status: Available