CYFIRMA - Data Breach and Web Monitoring - Phishing Campaign Detection Rule

// High severity - Data Breach and Web Monitoring - Phishing Campaign Detection
let timeFrame = 5m;
CyfirmaDBWMPhishingAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=signature,
    Source=source,
    Impact='',
    Recommendation='',
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT',
    AlertTitle=Alert_title
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Source,
    Impact,
    Recommendation,
    ProductName,
    ProviderName,
    AlertTitle

customDetails:
  RiskScore: RiskScore
  Recommendation: Recommendation
  UID: UID
  FirstSeen: FirstSeen
  LastSeen: LastSeen
  AssetType: AssetType
  Impact: Impact
  Description: Description
  TimeGenerated: TimeGenerated
  AlertUID: AlertUID
  AssetValue: AssetValue
  Source: Source
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMPhishingCampaignDetectionHighRule.yaml
id: 17cce4fc-9b4c-4eef-a4c7-083b44545e6e
requiredDataConnectors:
- dataTypes:
  - CyfirmaDBWMPhishingAlerts_CL
  connectorId: CyfirmaDigitalRiskAlertsConnector
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    enabled: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
  createIncident: true
relevantTechniques:
- T1566.001
- T1566.002
- T1566.003
kind: Scheduled
name: CYFIRMA - Data Breach and Web Monitoring - Phishing Campaign Detection Rule
query: |
  // High severity - Data Breach and Web Monitoring - Phishing Campaign Detection
  let timeFrame = 5m;
  CyfirmaDBWMPhishingAlerts_CL
  | where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=signature,
      Source=source,
      Impact='',
      Recommendation='',
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT',
      AlertTitle=Alert_title
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Source,
      Impact,
      Recommendation,
      ProductName,
      ProviderName,
      AlertTitle  
tactics:
- InitialAccess
- Exfiltration
severity: High
queryFrequency: 5m
description: |
  "Detects phishing campaigns targeting enterprise domains, as identified through CYFIRMA's Data Breach and Dark Web Monitoring. 
  These alerts may include malicious URLs used for credential harvesting, domain impersonation, or social engineering. 
  Immediate triage and takedown actions are recommended."  
alertDetailsOverride:
  alertDisplayNameFormat: 'CYFIRMA - High Severity Alert:  Phishing Campaign Detection - {{AlertTitle}} '
  alertDescriptionFormat: '{{Description}} '
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
triggerThreshold: 0
triggerOperator: gt
version: 1.0.1
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryPeriod: 5m
status: Available