Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CYFIRMA - Data Breach and Web Monitoring - Phishing Campaign Detection Rule

Back
Id17cce4fc-9b4c-4eef-a4c7-083b44545e6e
RulenameCYFIRMA - Data Breach and Web Monitoring - Phishing Campaign Detection Rule
Description“Detects phishing campaigns targeting enterprise domains, as identified through CYFIRMA’s Data Breach and Dark Web Monitoring.

These alerts may include malicious URLs used for credential harvesting, domain impersonation, or social engineering.

Immediate triage and takedown actions are recommended.”
SeverityHigh
TacticsInitialAccess
Exfiltration
TechniquesT1566.001
T1566.002
T1566.003
Required data connectorsCyfirmaDigitalRiskAlertsConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMPhishingCampaignDetectionHighRule.yaml
Version1.0.0
Arm template17cce4fc-9b4c-4eef-a4c7-083b44545e6e.json
Deploy To Azure
// High severity - Data Breach and Web Monitoring - Phishing Campaign Detection
let timeFrame = 5m;
CyfirmaDBWMPhishingAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=signature,
    Source=source,
    Impact='',
    Recommendation='',
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT',
    AlertTitle=Alert_title
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Source,
    Impact,
    Recommendation,
    ProductName,
    ProviderName,
    AlertTitle
requiredDataConnectors:
- connectorId: CyfirmaDigitalRiskAlertsConnector
  dataTypes:
  - CyfirmaDBWMPhishingAlerts_CL
tactics:
- InitialAccess
- Exfiltration
eventGroupingSettings:
  aggregationKind: AlertPerResult
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    lookbackDuration: 5h
    matchingMethod: AllEntities
    reopenClosedIncident: false
description: |
  "Detects phishing campaigns targeting enterprise domains, as identified through CYFIRMA's Data Breach and Dark Web Monitoring. 
  These alerts may include malicious URLs used for credential harvesting, domain impersonation, or social engineering. 
  Immediate triage and takedown actions are recommended."  
query: |
  // High severity - Data Breach and Web Monitoring - Phishing Campaign Detection
  let timeFrame = 5m;
  CyfirmaDBWMPhishingAlerts_CL
  | where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=signature,
      Source=source,
      Impact='',
      Recommendation='',
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT',
      AlertTitle=Alert_title
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Source,
      Impact,
      Recommendation,
      ProductName,
      ProviderName,
      AlertTitle  
id: 17cce4fc-9b4c-4eef-a4c7-083b44545e6e
triggerOperator: gt
alertDetailsOverride:
  alertDisplayNameFormat: 'CYFIRMA - High Severity Alert:  Phishing Campaign Detection - {{AlertTitle}} '
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
  alertDescriptionFormat: '{{Description}} '
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMPhishingCampaignDetectionHighRule.yaml
queryFrequency: 5m
severity: High
name: CYFIRMA - Data Breach and Web Monitoring - Phishing Campaign Detection Rule
queryPeriod: 5m
relevantTechniques:
- T1566.001
- T1566.002
- T1566.003
kind: Scheduled
triggerThreshold: 0
version: 1.0.0
customDetails:
  TimeGenerated: TimeGenerated
  UID: UID
  AssetType: AssetType
  Impact: Impact
  Description: Description
  LastSeen: LastSeen
  AssetValue: AssetValue
  FirstSeen: FirstSeen
  RiskScore: RiskScore
  AlertUID: AlertUID
  Recommendation: Recommendation
  Source: Source
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/17cce4fc-9b4c-4eef-a4c7-083b44545e6e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/17cce4fc-9b4c-4eef-a4c7-083b44545e6e')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{Description}} ",
          "alertDisplayNameFormat": "CYFIRMA - High Severity Alert:  Phishing Campaign Detection - {{AlertTitle}} ",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            },
            {
              "alertProperty": "ProviderName",
              "value": "ProviderName"
            }
          ]
        },
        "alertRuleTemplateName": "17cce4fc-9b4c-4eef-a4c7-083b44545e6e",
        "customDetails": {
          "AlertUID": "AlertUID",
          "AssetType": "AssetType",
          "AssetValue": "AssetValue",
          "Description": "Description",
          "FirstSeen": "FirstSeen",
          "Impact": "Impact",
          "LastSeen": "LastSeen",
          "Recommendation": "Recommendation",
          "RiskScore": "RiskScore",
          "Source": "Source",
          "TimeGenerated": "TimeGenerated",
          "UID": "UID"
        },
        "description": "\"Detects phishing campaigns targeting enterprise domains, as identified through CYFIRMA's Data Breach and Dark Web Monitoring. \nThese alerts may include malicious URLs used for credential harvesting, domain impersonation, or social engineering. \nImmediate triage and takedown actions are recommended.\"\n",
        "displayName": "CYFIRMA - Data Breach and Web Monitoring - Phishing Campaign Detection Rule",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMPhishingCampaignDetectionHighRule.yaml",
        "query": "// High severity - Data Breach and Web Monitoring - Phishing Campaign Detection\nlet timeFrame = 5m;\nCyfirmaDBWMPhishingAlerts_CL\n| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())\n| extend\n    Description=description,\n    FirstSeen=first_seen,\n    LastSeen=last_seen,\n    RiskScore=risk_score,\n    AlertUID=alert_uid,\n    UID=uid,\n    AssetType=asset_type,\n    AssetValue=signature,\n    Source=source,\n    Impact='',\n    Recommendation='',\n    ProviderName='CYFIRMA',\n    ProductName='DeCYFIR/DeTCT',\n    AlertTitle=Alert_title\n| project\n    TimeGenerated,\n    Description,\n    RiskScore,\n    FirstSeen,\n    LastSeen,\n    AlertUID,\n    UID,\n    AssetType,\n    AssetValue,\n    Source,\n    Impact,\n    Recommendation,\n    ProductName,\n    ProviderName,\n    AlertTitle\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [
          "T1566.001",
          "T1566.002",
          "T1566.003"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration",
          "InitialAccess"
        ],
        "techniques": [
          "T1566"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}