CYFIRMA - Brand Intelligence - Domain Impersonation High Rule
| Id | 10bdf525-5b89-4a25-933a-e63e73b915f1 |
| Rulename | CYFIRMA - Brand Intelligence - Domain Impersonation High Rule |
| Description | “This analytics rule detects high-risk domain impersonation activity, where newly registered or existing domains closely resemble the legitimate brand name or organizational assets. These suspicious domains may use typosquatting, homoglyphs, or brand keywords to mislead users, steal credentials, or host phishing/malicious content. The domains are identified through CYFIRMA’s external threat intelligence feeds and flagged due to potential misuse in impersonation, fraud, or social engineering attacks targeting employees, customers, or partners. Early detection of these domains enables proactive mitigation measures such as domain takedown, DNS blocking, and awareness campaigns.” |
| Severity | High |
| Tactics | ResourceDevelopment InitialAccess CommandAndControl |
| Techniques | T1583.001 T1586.002 T1566.002 T1566.001 T1071.003 T1071.001 |
| Required data connectors | CyfirmaBrandIntelligenceAlertsDC |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Brand Intelligence/Analytic Rules/BIDomainImpersonationHighRule.yaml |
| Version | 1.0.1 |
| Arm template | 10bdf525-5b89-4a25-933a-e63e73b915f1.json |
// High severity- Brand Intelligence - Domain Impersonation
let timeFrame = 5m;
CyfirmaBIDomainITAssetAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
Domain=domain,
DRDomain=dr_domain,
DRSubDomain=dr_sub_domain,
DomainSquat=signature,
HostProvider=host_provider,
RegisteredDate=registered_date,
CreatedDate=created_date,
ThreatActor=suspected_threat_actor,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT'
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
Domain,
DRDomain,
DRSubDomain,
DomainSquat,
HostProvider,
RegisteredDate,
CreatedDate,
ThreatActor,
ProductName,
ProviderName
kind: Scheduled
customDetails:
DRSubDomain: DRSubDomain
ThreatActor: ThreatActor
AlertUID: AlertUID
LastSeen: LastSeen
Description: Description
TimeGenerated: TimeGenerated
FirstSeen: FirstSeen
RiskScore: RiskScore
CreatedDate: CreatedDate
DRDomain: DRDomain
DomainSquat: DomainSquat
RegisteredDate: RegisteredDate
HostProvider: HostProvider
Domain: Domain
UID: UID
alertDetailsOverride:
alertDisplayNameFormat: 'CYFIRMA - High Severity Alert - Malicious Domain Impersonation of Corporate Brand - Domain Squat: {{DomainSquat}} '
alertDescriptionFormat: '{{Description}} '
alertDynamicProperties:
- value: ProductName
alertProperty: ProductName
- value: ProviderName
alertProperty: ProviderName
entityMappings:
- entityType: DNS
fieldMappings:
- columnName: Domain
identifier: DomainName
- entityType: DNS
fieldMappings:
- columnName: DomainSquat
identifier: DomainName
description: |
"This analytics rule detects high-risk domain impersonation activity, where newly registered or existing domains closely resemble the legitimate brand name or organizational assets.
These suspicious domains may use typosquatting, homoglyphs, or brand keywords to mislead users, steal credentials, or host phishing/malicious content.
The domains are identified through CYFIRMA's external threat intelligence feeds and flagged due to potential misuse in impersonation, fraud, or social engineering attacks targeting employees, customers, or partners.
Early detection of these domains enables proactive mitigation measures such as domain takedown, DNS blocking, and awareness campaigns."
severity: High
queryFrequency: 5m
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
matchingMethod: AllEntities
lookbackDuration: PT5H
enabled: false
createIncident: true
triggerThreshold: 0
relevantTechniques:
- T1583.001
- T1586.002
- T1566.002
- T1566.001
- T1071.003
- T1071.001
eventGroupingSettings:
aggregationKind: AlertPerResult
status: Available
version: 1.0.1
name: CYFIRMA - Brand Intelligence - Domain Impersonation High Rule
id: 10bdf525-5b89-4a25-933a-e63e73b915f1
query: |
// High severity- Brand Intelligence - Domain Impersonation
let timeFrame = 5m;
CyfirmaBIDomainITAssetAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
Domain=domain,
DRDomain=dr_domain,
DRSubDomain=dr_sub_domain,
DomainSquat=signature,
HostProvider=host_provider,
RegisteredDate=registered_date,
CreatedDate=created_date,
ThreatActor=suspected_threat_actor,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT'
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
Domain,
DRDomain,
DRSubDomain,
DomainSquat,
HostProvider,
RegisteredDate,
CreatedDate,
ThreatActor,
ProductName,
ProviderName
requiredDataConnectors:
- dataTypes:
- CyfirmaBIDomainITAssetAlerts_CL
connectorId: CyfirmaBrandIntelligenceAlertsDC
tactics:
- ResourceDevelopment
- InitialAccess
- CommandAndControl
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Brand Intelligence/Analytic Rules/BIDomainImpersonationHighRule.yaml
queryPeriod: 5m
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/10bdf525-5b89-4a25-933a-e63e73b915f1')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/10bdf525-5b89-4a25-933a-e63e73b915f1')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{Description}} ",
"alertDisplayNameFormat": "CYFIRMA - High Severity Alert - Malicious Domain Impersonation of Corporate Brand - Domain Squat: {{DomainSquat}} ",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "10bdf525-5b89-4a25-933a-e63e73b915f1",
"customDetails": {
"AlertUID": "AlertUID",
"CreatedDate": "CreatedDate",
"Description": "Description",
"Domain": "Domain",
"DomainSquat": "DomainSquat",
"DRDomain": "DRDomain",
"DRSubDomain": "DRSubDomain",
"FirstSeen": "FirstSeen",
"HostProvider": "HostProvider",
"LastSeen": "LastSeen",
"RegisteredDate": "RegisteredDate",
"RiskScore": "RiskScore",
"ThreatActor": "ThreatActor",
"TimeGenerated": "TimeGenerated",
"UID": "UID"
},
"description": "\"This analytics rule detects high-risk domain impersonation activity, where newly registered or existing domains closely resemble the legitimate brand name or organizational assets. \nThese suspicious domains may use typosquatting, homoglyphs, or brand keywords to mislead users, steal credentials, or host phishing/malicious content. \nThe domains are identified through CYFIRMA's external threat intelligence feeds and flagged due to potential misuse in impersonation, fraud, or social engineering attacks targeting employees, customers, or partners. \nEarly detection of these domains enables proactive mitigation measures such as domain takedown, DNS blocking, and awareness campaigns.\"\n",
"displayName": "CYFIRMA - Brand Intelligence - Domain Impersonation High Rule",
"enabled": true,
"entityMappings": [
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "Domain",
"identifier": "DomainName"
}
]
},
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "DomainSquat",
"identifier": "DomainName"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Brand Intelligence/Analytic Rules/BIDomainImpersonationHighRule.yaml",
"query": "// High severity- Brand Intelligence - Domain Impersonation\nlet timeFrame = 5m;\nCyfirmaBIDomainITAssetAlerts_CL\n| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())\n| extend\n Description=description,\n FirstSeen=first_seen,\n LastSeen=last_seen,\n RiskScore=risk_score,\n AlertUID=alert_uid,\n UID=uid,\n Domain=domain,\n DRDomain=dr_domain,\n DRSubDomain=dr_sub_domain,\n DomainSquat=signature,\n HostProvider=host_provider,\n RegisteredDate=registered_date,\n CreatedDate=created_date,\n ThreatActor=suspected_threat_actor,\n ProviderName='CYFIRMA',\n ProductName='DeCYFIR/DeTCT'\n| project\n TimeGenerated,\n Description,\n RiskScore,\n FirstSeen,\n LastSeen,\n AlertUID,\n UID,\n Domain,\n DRDomain,\n DRSubDomain,\n DomainSquat,\n HostProvider,\n RegisteredDate,\n CreatedDate,\n ThreatActor,\n ProductName,\n ProviderName\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"status": "Available",
"subTechniques": [
"T1583.001",
"T1586.002",
"T1566.002",
"T1566.001",
"T1071.003",
"T1071.001"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"InitialAccess",
"ResourceDevelopment"
],
"techniques": [
"T1071",
"T1566",
"T1583",
"T1586"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}