CYFIRMA - Data Breach and Web Monitoring - Phishing Campaign Detection Rule

// High severity - Data Breach and Web Monitoring - Phishing Campaign Detection
let timeFrame = 5m;
CyfirmaDBWMPhishingAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=signature,
    Source=source,
    Impact='',
    Recommendation='',
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT',
    AlertTitle=Alert_title
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Source,
    Impact,
    Recommendation,
    ProductName,
    ProviderName,
    AlertTitle

relevantTechniques:
- T1566.001
- T1566.002
- T1566.003
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: AllEntities
    lookbackDuration: PT5H
    reopenClosedIncident: false
    enabled: false
  createIncident: true
eventGroupingSettings:
  aggregationKind: AlertPerResult
query: |
  // High severity - Data Breach and Web Monitoring - Phishing Campaign Detection
  let timeFrame = 5m;
  CyfirmaDBWMPhishingAlerts_CL
  | where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=signature,
      Source=source,
      Impact='',
      Recommendation='',
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT',
      AlertTitle=Alert_title
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Source,
      Impact,
      Recommendation,
      ProductName,
      ProviderName,
      AlertTitle  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/DBWMPhishingCampaignDetectionHighRule.yaml
description: |
  "Detects phishing campaigns targeting enterprise domains, as identified through CYFIRMA's Data Breach and Dark Web Monitoring. 
  These alerts may include malicious URLs used for credential harvesting, domain impersonation, or social engineering. 
  Immediate triage and takedown actions are recommended."  
requiredDataConnectors:
- connectorId: CyfirmaDigitalRiskAlertsConnector
  dataTypes:
  - CyfirmaDBWMPhishingAlerts_CL
triggerOperator: gt
name: CYFIRMA - Data Breach and Web Monitoring - Phishing Campaign Detection Rule
queryPeriod: 5m
triggerThreshold: 0
id: 17cce4fc-9b4c-4eef-a4c7-083b44545e6e
status: Available
customDetails:
  AssetType: AssetType
  FirstSeen: FirstSeen
  AlertUID: AlertUID
  TimeGenerated: TimeGenerated
  AssetValue: AssetValue
  UID: UID
  Source: Source
  Impact: Impact
  RiskScore: RiskScore
  Description: Description
  LastSeen: LastSeen
  Recommendation: Recommendation
kind: Scheduled
severity: High
queryFrequency: 5m
tactics:
- InitialAccess
- Exfiltration
version: 1.0.1
alertDetailsOverride:
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
  alertDisplayNameFormat: 'CYFIRMA - High Severity Alert:  Phishing Campaign Detection - {{AlertTitle}} '
  alertDescriptionFormat: '{{Description}} '