CYFIRMA - Data Breach and Web Monitoring - Phishing Campaign Detection Rule
| Id | 17cce4fc-9b4c-4eef-a4c7-083b44545e6e |
| Rulename | CYFIRMA - Data Breach and Web Monitoring - Phishing Campaign Detection Rule |
| Description | “Detects phishing campaigns targeting enterprise domains, as identified through CYFIRMA’s Data Breach and Dark Web Monitoring. These alerts may include malicious URLs used for credential harvesting, domain impersonation, or social engineering. Immediate triage and takedown actions are recommended.” |
| Severity | High |
| Tactics | InitialAccess Exfiltration |
| Techniques | T1566.001 T1566.002 T1566.003 |
| Required data connectors | CyfirmaDigitalRiskAlertsConnector |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMPhishingCampaignDetectionHighRule.yaml |
| Version | 1.0.1 |
| Arm template | 17cce4fc-9b4c-4eef-a4c7-083b44545e6e.json |
// High severity - Data Breach and Web Monitoring - Phishing Campaign Detection
let timeFrame = 5m;
CyfirmaDBWMPhishingAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
AssetType=asset_type,
AssetValue=signature,
Source=source,
Impact='',
Recommendation='',
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT',
AlertTitle=Alert_title
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
AssetType,
AssetValue,
Source,
Impact,
Recommendation,
ProductName,
ProviderName,
AlertTitle
description: |
"Detects phishing campaigns targeting enterprise domains, as identified through CYFIRMA's Data Breach and Dark Web Monitoring.
These alerts may include malicious URLs used for credential harvesting, domain impersonation, or social engineering.
Immediate triage and takedown actions are recommended."
tactics:
- InitialAccess
- Exfiltration
requiredDataConnectors:
- dataTypes:
- CyfirmaDBWMPhishingAlerts_CL
connectorId: CyfirmaDigitalRiskAlertsConnector
alertDetailsOverride:
alertDisplayNameFormat: 'CYFIRMA - High Severity Alert: Phishing Campaign Detection - {{AlertTitle}} '
alertDescriptionFormat: '{{Description}} '
alertDynamicProperties:
- value: ProductName
alertProperty: ProductName
- value: ProviderName
alertProperty: ProviderName
incidentConfiguration:
groupingConfiguration:
enabled: false
lookbackDuration: PT5H
reopenClosedIncident: false
matchingMethod: AllEntities
createIncident: true
id: 17cce4fc-9b4c-4eef-a4c7-083b44545e6e
severity: High
eventGroupingSettings:
aggregationKind: AlertPerResult
status: Available
customDetails:
TimeGenerated: TimeGenerated
LastSeen: LastSeen
RiskScore: RiskScore
FirstSeen: FirstSeen
UID: UID
Impact: Impact
Recommendation: Recommendation
AssetValue: AssetValue
AlertUID: AlertUID
Description: Description
AssetType: AssetType
Source: Source
query: |
// High severity - Data Breach and Web Monitoring - Phishing Campaign Detection
let timeFrame = 5m;
CyfirmaDBWMPhishingAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
AssetType=asset_type,
AssetValue=signature,
Source=source,
Impact='',
Recommendation='',
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT',
AlertTitle=Alert_title
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
AssetType,
AssetValue,
Source,
Impact,
Recommendation,
ProductName,
ProviderName,
AlertTitle
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMPhishingCampaignDetectionHighRule.yaml
kind: Scheduled
queryPeriod: 5m
name: CYFIRMA - Data Breach and Web Monitoring - Phishing Campaign Detection Rule
queryFrequency: 5m
triggerThreshold: 0
relevantTechniques:
- T1566.001
- T1566.002
- T1566.003
version: 1.0.1
triggerOperator: gt