Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. CYFIRMA - Medium severity Malicious Phishing Network Indicators - Monitor Recommended Rule

CYFIRMA - Medium severity Malicious Phishing Network Indicators - Monitor Recommended Rule

Back
Id1b9603dd-4787-403e-8a35-387c554bd15b
RulenameCYFIRMA - Medium severity Malicious Phishing Network Indicators - Monitor Recommended Rule
Description“This analytics rule identifies network-based indicators such as URLs, IP addresses, and domains related to phishing campaigns, as reported by CYFIRMA threat intelligence.

These indicators are flagged with a recommended action to block and are categorized under the ‘Phishing’ role.

Such infrastructure is often used to deliver phishing emails, host fake login portals, or redirect victims to credential-harvesting pages.

monitoring these indicators proactively helps prevent user compromise and data theft.”
SeverityMedium
TacticsInitialAccess
Execution
CredentialAccess
Exfiltration
TechniquesT1566
T1204
T1556
T1110
T1041
T1566.001
T1566.002
T1204.001
T1556.002
T1110.003
Required data connectorsCyfirmaCyberIntelligenceDC
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/PhishingNetworkIndicatorsMonitorMediumSeverityRule.yaml
Version1.0.1
Arm template1b9603dd-4787-403e-8a35-387c554bd15b.json
Deploy To Azure
//Phishing Network Indicators - Monitor Recommended
let timeFrame= 5m;
CyfirmaIndicators_CL 
| where (ConfidenceScore < 80 and ConfidenceScore >= 50)
    and TimeGenerated between (ago(timeFrame) .. now())
    and pattern !contains 'file:hashes' and RecommendedActions has 'Monitor' and Roles has 'Phishing'
| extend IPv4 = extract(@"ipv4-addr:value\s*=\s*'([^']+)'", 1, pattern)
| extend IPv6 = extract(@"ipv6-addr:value\s*=\s*'([^']+)'", 1, pattern)
| extend URL = extract(@"url:value\s*=\s*'([^']+)'", 1, pattern)
| extend Domain = extract(@"domain-name:value\s*=\s*'([^']+)'", 1, pattern)
| extend parsed = parse_json(extensions)
| extend extensionKeys = bag_keys(parsed)
| mv-expand extensionKeys
| extend extensionKeyStr = tostring(extensionKeys)
| extend ext = parsed[extensionKeyStr]
| extend props = ext.properties
| extend 
    extension_id = extensionKeyStr,
    ASN_Owner = props.asn_owner,
    ASN = props.asn,
    ProviderName = 'CYFIRMA',
    ProductName = 'DeCYFIR/DeTCT'
| project
    IPv4,
    IPv6,
    URL,
    Domain,
    ThreatActors,
    RecommendedActions,
    Sources,
    Roles,
    Country,
    IPAbuse,
    name,
    Description,
    ConfidenceScore,
    IndicatorID,
    created,
    modified,
    valid_from,
    Tags,
    ThreatType,
    TimeGenerated,
    SecurityVendors,
    ProductName,
    ProviderName

suppressionEnabled: true
triggerThreshold: 0
queryFrequency: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/PhishingNetworkIndicatorsMonitorMediumSeverityRule.yaml
kind: Scheduled
alertDetailsOverride:
  alertDescriptionFormat: '{{Description}} - {{name}} '
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
  alertDisplayNameFormat: 'High-Confidence Malicious Phishing Network Indicators - Monitor Recommended - {{name}} '
description: |
  "This analytics rule identifies network-based indicators such as URLs, IP addresses, and domains related to phishing campaigns, as reported by CYFIRMA threat intelligence. 
  These indicators are flagged with a recommended action to block and are categorized under the 'Phishing' role.
  Such infrastructure is often used to deliver phishing emails, host fake login portals, or redirect victims to credential-harvesting pages. 
  monitoring these indicators proactively helps prevent user compromise and data theft."  
triggerOperator: GreaterThan
customDetails:
  ThreatActors: ThreatActors
  Roles: Roles
  RecommendedActions: RecommendedActions
  ThreatType: ThreatType
  Created: created
  Description: Description
  ValidFrom: valid_from
  Country: Country
  IPAbuse: IPAbuse
  SecurityVendors: SecurityVendors
  Sources: Sources
  Tags: Tags
  IndicatorID: IndicatorID
  Modified: modified
  TimeGenerated: TimeGenerated
  ConfidenceScore: ConfidenceScore
tactics:
- InitialAccess
- Execution
- CredentialAccess
- Exfiltration
queryPeriod: 5m
eventGroupingSettings:
  aggregationKind: AlertPerResult
id: 1b9603dd-4787-403e-8a35-387c554bd15b
enabled: false
severity: Medium
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: PT5H
    reopenClosedIncident: false
    matchingMethod: AllEntities
    enabled: false
  createIncident: true
requiredDataConnectors:
- connectorId: CyfirmaCyberIntelligenceDC
  dataTypes:
  - CyfirmaIndicators_CL
version: 1.0.1
query: |
  //Phishing Network Indicators - Monitor Recommended
  let timeFrame= 5m;
  CyfirmaIndicators_CL 
  | where (ConfidenceScore < 80 and ConfidenceScore >= 50)
      and TimeGenerated between (ago(timeFrame) .. now())
      and pattern !contains 'file:hashes' and RecommendedActions has 'Monitor' and Roles has 'Phishing'
  | extend IPv4 = extract(@"ipv4-addr:value\s*=\s*'([^']+)'", 1, pattern)
  | extend IPv6 = extract(@"ipv6-addr:value\s*=\s*'([^']+)'", 1, pattern)
  | extend URL = extract(@"url:value\s*=\s*'([^']+)'", 1, pattern)
  | extend Domain = extract(@"domain-name:value\s*=\s*'([^']+)'", 1, pattern)
  | extend parsed = parse_json(extensions)
  | extend extensionKeys = bag_keys(parsed)
  | mv-expand extensionKeys
  | extend extensionKeyStr = tostring(extensionKeys)
  | extend ext = parsed[extensionKeyStr]
  | extend props = ext.properties
  | extend 
      extension_id = extensionKeyStr,
      ASN_Owner = props.asn_owner,
      ASN = props.asn,
      ProviderName = 'CYFIRMA',
      ProductName = 'DeCYFIR/DeTCT'
  | project
      IPv4,
      IPv6,
      URL,
      Domain,
      ThreatActors,
      RecommendedActions,
      Sources,
      Roles,
      Country,
      IPAbuse,
      name,
      Description,
      ConfidenceScore,
      IndicatorID,
      created,
      modified,
      valid_from,
      Tags,
      ThreatType,
      TimeGenerated,
      SecurityVendors,
      ProductName,
      ProviderName  
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: IPv4
  entityType: IP
- fieldMappings:
  - identifier: Address
    columnName: IPv6
  entityType: IP
- fieldMappings:
  - identifier: DomainName
    columnName: Domain
  entityType: DNS
- fieldMappings:
  - identifier: Url
    columnName: URL
  entityType: URL
name: CYFIRMA - Medium severity Malicious Phishing Network Indicators - Monitor Recommended Rule
suppressionDuration: 5m
relevantTechniques:
- T1566
- T1204
- T1556
- T1110
- T1041
- T1566.001
- T1566.002
- T1204.001
- T1556.002
- T1110.003