CYFIRMA - Brand Intelligence - Domain Impersonation High Rule

Back


Id	10bdf525-5b89-4a25-933a-e63e73b915f1
Rulename	CYFIRMA - Brand Intelligence - Domain Impersonation High Rule
Description	“This analytics rule detects high-risk domain impersonation activity, where newly registered or existing domains closely resemble the legitimate brand name or organizational assets. These suspicious domains may use typosquatting, homoglyphs, or brand keywords to mislead users, steal credentials, or host phishing/malicious content. The domains are identified through CYFIRMA’s external threat intelligence feeds and flagged due to potential misuse in impersonation, fraud, or social engineering attacks targeting employees, customers, or partners. Early detection of these domains enables proactive mitigation measures such as domain takedown, DNS blocking, and awareness campaigns.”
Severity	High
Tactics	ResourceDevelopment InitialAccess CommandAndControl
Techniques	T1583.001 T1586.002 T1566.002 T1566.001 T1071.003 T1071.001
Required data connectors	CyfirmaBrandIntelligenceAlertsDC
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Brand Intelligence/Analytic Rules/BIDomainImpersonationHighRule.yaml
Version	1.0.1
Arm template	10bdf525-5b89-4a25-933a-e63e73b915f1.json

KQL

// High severity-  Brand Intelligence - Domain Impersonation
let timeFrame = 5m;
CyfirmaBIDomainITAssetAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    Domain=domain,
    DRDomain=dr_domain,
    DRSubDomain=dr_sub_domain,
    DomainSquat=signature,
    HostProvider=host_provider,
    RegisteredDate=registered_date,
    CreatedDate=created_date,
    ThreatActor=suspected_threat_actor,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT'
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    Domain,
    DRDomain,
    DRSubDomain,
    DomainSquat,
    HostProvider,
    RegisteredDate,
    CreatedDate,
    ThreatActor,
    ProductName,
    ProviderName

YAML

queryPeriod: 5m
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: AllEntities
    enabled: false
  createIncident: true
severity: High
description: |
  "This analytics rule detects high-risk domain impersonation activity, where newly registered or existing domains closely resemble the legitimate brand name or organizational assets. 
  These suspicious domains may use typosquatting, homoglyphs, or brand keywords to mislead users, steal credentials, or host phishing/malicious content. 
  The domains are identified through CYFIRMA's external threat intelligence feeds and flagged due to potential misuse in impersonation, fraud, or social engineering attacks targeting employees, customers, or partners. 
  Early detection of these domains enables proactive mitigation measures such as domain takedown, DNS blocking, and awareness campaigns."  
entityMappings:
- entityType: DNS
  fieldMappings:
  - identifier: DomainName
    columnName: Domain
- entityType: DNS
  fieldMappings:
  - identifier: DomainName
    columnName: DomainSquat
status: Available
triggerOperator: gt
kind: Scheduled
tactics:
- ResourceDevelopment
- InitialAccess
- CommandAndControl
relevantTechniques:
- T1583.001
- T1586.002
- T1566.002
- T1566.001
- T1071.003
- T1071.001
id: 10bdf525-5b89-4a25-933a-e63e73b915f1
triggerThreshold: 0
queryFrequency: 5m
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Brand Intelligence/Analytic Rules/BIDomainImpersonationHighRule.yaml
query: |
  // High severity-  Brand Intelligence - Domain Impersonation
  let timeFrame = 5m;
  CyfirmaBIDomainITAssetAlerts_CL
  | where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      Domain=domain,
      DRDomain=dr_domain,
      DRSubDomain=dr_sub_domain,
      DomainSquat=signature,
      HostProvider=host_provider,
      RegisteredDate=registered_date,
      CreatedDate=created_date,
      ThreatActor=suspected_threat_actor,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT'
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      Domain,
      DRDomain,
      DRSubDomain,
      DomainSquat,
      HostProvider,
      RegisteredDate,
      CreatedDate,
      ThreatActor,
      ProductName,
      ProviderName  
customDetails:
  LastSeen: LastSeen
  DRDomain: DRDomain
  Description: Description
  RegisteredDate: RegisteredDate
  RiskScore: RiskScore
  TimeGenerated: TimeGenerated
  HostProvider: HostProvider
  AlertUID: AlertUID
  UID: UID
  CreatedDate: CreatedDate
  DomainSquat: DomainSquat
  FirstSeen: FirstSeen
  ThreatActor: ThreatActor
  DRSubDomain: DRSubDomain
  Domain: Domain
requiredDataConnectors:
- dataTypes:
  - CyfirmaBIDomainITAssetAlerts_CL
  connectorId: CyfirmaBrandIntelligenceAlertsDC
alertDetailsOverride:
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
  alertDisplayNameFormat: 'CYFIRMA - High Severity Alert - Malicious Domain Impersonation of Corporate Brand - Domain Squat: {{DomainSquat}} '
  alertDescriptionFormat: '{{Description}} '
eventGroupingSettings:
  aggregationKind: AlertPerResult
name: CYFIRMA - Brand Intelligence - Domain Impersonation High Rule

ARM