CYFIRMA - Brand Intelligence - ExecutivePeople Impersonation High Rule

// High severity - Executive/People Impersonation
let timeFrame = 5m;
CyfirmaBIExecutivePeopleAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=asset_value,
    Impact=impact,
    Recommendation=recommendation,
    PostedDate=posted_date,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT'
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Impact,
    Recommendation,
    PostedDate,
    ProductName,
    ProviderName

queryPeriod: 5m
query: |
  // High severity - Executive/People Impersonation
  let timeFrame = 5m;
  CyfirmaBIExecutivePeopleAlerts_CL
  | where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=asset_value,
      Impact=impact,
      Recommendation=recommendation,
      PostedDate=posted_date,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT'
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Impact,
      Recommendation,
      PostedDate,
      ProductName,
      ProviderName  
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: PT5H
    reopenClosedIncident: false
    matchingMethod: AllEntities
    enabled: false
  createIncident: true
name: CYFIRMA - Brand Intelligence - Executive/People Impersonation High Rule
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Brand Intelligence/Analytic Rules/BIExecutivePeopleImpersonationHighRule.yaml
alertDetailsOverride:
  alertDisplayNameFormat: 'CYFIRMA - High Severity Alert - Executive Impersonation - Suspicious Social Media Account Detected - {{AssetValue}} '
  alertDescriptionFormat: '{{Description}} '
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
description: |
  "This rule detects potential impersonation of executive or high-profile individuals across digital platforms such as social media. 
  Such impersonation can be used to mislead stakeholders, perform social engineering attacks, or cause reputational damage to the organization. 
  Timely detection is crucial to assess risk and take down malicious profiles to protect brand and executive identity."  
kind: Scheduled
version: 1.0.1
status: Available
severity: High
requiredDataConnectors:
- connectorId: CyfirmaBrandIntelligenceAlertsDC
  dataTypes:
  - CyfirmaBIExecutivePeopleAlerts_CL
triggerOperator: gt
triggerThreshold: 0
customDetails:
  Impact: Impact
  TimeGenerated: TimeGenerated
  UID: UID
  AssetType: AssetType
  LastSeen: LastSeen
  AssetValue: AssetValue
  Description: Description
  AlertUID: AlertUID
  FirstSeen: FirstSeen
  Recommendation: Recommendation
  PostedDate: PostedDate
  RiskScore: RiskScore
tactics:
- Reconnaissance
- ResourceDevelopment
- InitialAccess
id: 159d26a1-591c-4f70-b1ca-2843c881aaec
relevantTechniques:
- T1589.003
- T1585.001
- T1566.002