CYFIRMA - Brand Intelligence - Social Media Handle Impersonation Detected High Rule

// High severity - Social Media Handle Impersonation
let timeFrame = 5m;
CyfirmaBISocialHandlersAlerts_CL 
  | where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=asset_value,
      Impact=impact,
      Recommendation=recommendation,
      SourceSype=source_type,
      ProviderName="CYFIRMA",
      ProductName="DeCYFIR/DeTCT"
  | project 
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Impact,
      Recommendation,
      SourceSype,
      ProductName,
      ProviderName

alertDetailsOverride:
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
  alertDescriptionFormat: '{{Description}} '
  alertDisplayNameFormat: 'CYFIRMA - High Severity Social Media Handle Impersonation Detected - {{AssetType}}  :  {{AssetValue}} '
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    lookbackDuration: PT5H
    reopenClosedIncident: false
    enabled: false
requiredDataConnectors:
- dataTypes:
  - CyfirmaBISocialHandlersAlerts_CL
  connectorId: CyfirmaBrandIntelligenceAlertsDC
relevantTechniques:
- T1589.003
- T1591.002
- T1585.001
- T1566.002
triggerOperator: gt
version: 1.0.1
queryFrequency: 5m
severity: High
description: |
  "Detects high-severity alerts related to impersonation of official social media handles associated with your brand. 
  These spoofed accounts may be used for phishing, disinformation, or fraud campaigns, posing significant reputational and security risks."  
triggerThreshold: 0
customDetails:
  AssetValue: AssetValue
  Description: Description
  LastSeen: LastSeen
  AssetType: AssetType
  SourceSype: SourceSype
  FirstSeen: FirstSeen
  RiskScore: RiskScore
  Recommendation: Recommendation
  AlertUID: AlertUID
  Impact: Impact
  UID: UID
  TimeGenerated: TimeGenerated
name: CYFIRMA - Brand Intelligence - Social Media Handle Impersonation Detected High Rule
query: |
  // High severity - Social Media Handle Impersonation
  let timeFrame = 5m;
  CyfirmaBISocialHandlersAlerts_CL 
    | where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
    | extend
        Description=description,
        FirstSeen=first_seen,
        LastSeen=last_seen,
        RiskScore=risk_score,
        AlertUID=alert_uid,
        UID=uid,
        AssetType=asset_type,
        AssetValue=asset_value,
        Impact=impact,
        Recommendation=recommendation,
        SourceSype=source_type,
        ProviderName="CYFIRMA",
        ProductName="DeCYFIR/DeTCT"
    | project 
        TimeGenerated,
        Description,
        RiskScore,
        FirstSeen,
        LastSeen,
        AlertUID,
        UID,
        AssetType,
        AssetValue,
        Impact,
        Recommendation,
        SourceSype,
        ProductName,
        ProviderName  
tactics:
- Reconnaissance
- ResourceDevelopment
- InitialAccess
queryPeriod: 5m
kind: Scheduled
id: 22f49d67-7da7-4809-8d07-89e4478aa6b0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Brand Intelligence/Analytic Rules/BISocialMediaHandlerHighRule.yaml
eventGroupingSettings:
  aggregationKind: AlertPerResult
status: Available