Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CYFIRMA - Brand Intelligence - Malicious Mobile App High Rule

Back
Id3176ac89-b195-48b7-a01e-740a6b26fb2f
RulenameCYFIRMA - Brand Intelligence - Malicious Mobile App High Rule
Description“This analytic rule detects instances where malicious or unauthorized mobile applications are discovered mimicking legitimate brand assets.

Such impersonations may be distributed through unofficial app stores or third-party websites, potentially deceiving customers, harvesting sensitive data, or damaging brand reputation.

This alert is triggered when CYFIRMA threat intelligence identifies a suspicious mobile app associated with the organization’s brand or product names.”
SeverityHigh
TacticsResourceDevelopment
Execution
DefenseEvasion
CredentialAccess
CommandAndControl
TechniquesT1406
T1414
T1437
T1583.001
T1204.002
Required data connectorsCyfirmaBrandIntelligenceAlertsDC
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Brand Intelligence/Analytic Rules/BIMaliciousMobileAppHighRule.yaml
Version1.0.0
Arm template3176ac89-b195-48b7-a01e-740a6b26fb2f.json
Deploy To Azure
// High severity - Malicious Mobile App Impersonation
let timeFrame = 5m;
CyfirmaBIMaliciousMobileAppsAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=asset_value,
    Impact=impact,
    Recommendation=recommendation,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT'
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Impact,
    Recommendation,
    ProductName,
    ProviderName
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Brand Intelligence/Analytic Rules/BIMaliciousMobileAppHighRule.yaml
triggerThreshold: 0
severity: High
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 5h
    enabled: false
    matchingMethod: AllEntities
    reopenClosedIncident: false
queryFrequency: 5m
status: Available
customDetails:
  AlertUID: AlertUID
  TimeGenerated: TimeGenerated
  Recommendation: Recommendation
  FirstSeen: FirstSeen
  Description: Description
  LastSeen: LastSeen
  AssetType: AssetType
  Impact: Impact
  AssetValue: AssetValue
  UID: UID
  RiskScore: RiskScore
relevantTechniques:
- T1406
- T1414
- T1437
- T1583.001
- T1204.002
alertDetailsOverride:
  alertDisplayNameFormat: 'CYFIRMA - High Severity Alert: Malicious Mobile App Impersonating Brand Detected - {{AssetType}} - {{AssetValue}} '
  alertDescriptionFormat: '{{Description}} '
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
triggerOperator: gt
id: 3176ac89-b195-48b7-a01e-740a6b26fb2f
requiredDataConnectors:
- connectorId: CyfirmaBrandIntelligenceAlertsDC
  dataTypes:
  - CyfirmaBIMaliciousMobileAppsAlerts_CL
version: 1.0.0
name: CYFIRMA - Brand Intelligence - Malicious Mobile App High Rule
eventGroupingSettings:
  aggregationKind: AlertPerResult
description: |
  "This analytic rule detects instances where malicious or unauthorized mobile applications are discovered mimicking legitimate brand assets. 
  Such impersonations may be distributed through unofficial app stores or third-party websites, potentially deceiving customers, harvesting sensitive data, or damaging brand reputation. 
  This alert is triggered when CYFIRMA threat intelligence identifies a suspicious mobile app associated with the organization's brand or product names."  
query: |
  // High severity - Malicious Mobile App Impersonation
  let timeFrame = 5m;
  CyfirmaBIMaliciousMobileAppsAlerts_CL
  | where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=asset_value,
      Impact=impact,
      Recommendation=recommendation,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT'
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Impact,
      Recommendation,
      ProductName,
      ProviderName  
tactics:
- ResourceDevelopment
- Execution
- DefenseEvasion
- CredentialAccess
- CommandAndControl
queryPeriod: 5m
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3176ac89-b195-48b7-a01e-740a6b26fb2f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3176ac89-b195-48b7-a01e-740a6b26fb2f')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{Description}} ",
          "alertDisplayNameFormat": "CYFIRMA - High Severity Alert: Malicious Mobile App Impersonating Brand Detected - {{AssetType}} - {{AssetValue}} ",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            },
            {
              "alertProperty": "ProviderName",
              "value": "ProviderName"
            }
          ]
        },
        "alertRuleTemplateName": "3176ac89-b195-48b7-a01e-740a6b26fb2f",
        "customDetails": {
          "AlertUID": "AlertUID",
          "AssetType": "AssetType",
          "AssetValue": "AssetValue",
          "Description": "Description",
          "FirstSeen": "FirstSeen",
          "Impact": "Impact",
          "LastSeen": "LastSeen",
          "Recommendation": "Recommendation",
          "RiskScore": "RiskScore",
          "TimeGenerated": "TimeGenerated",
          "UID": "UID"
        },
        "description": "\"This analytic rule detects instances where malicious or unauthorized mobile applications are discovered mimicking legitimate brand assets. \nSuch impersonations may be distributed through unofficial app stores or third-party websites, potentially deceiving customers, harvesting sensitive data, or damaging brand reputation. \nThis alert is triggered when CYFIRMA threat intelligence identifies a suspicious mobile app associated with the organization's brand or product names.\"\n",
        "displayName": "CYFIRMA - Brand Intelligence - Malicious Mobile App High Rule",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Brand Intelligence/Analytic Rules/BIMaliciousMobileAppHighRule.yaml",
        "query": "// High severity - Malicious Mobile App Impersonation\nlet timeFrame = 5m;\nCyfirmaBIMaliciousMobileAppsAlerts_CL\n| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())\n| extend\n    Description=description,\n    FirstSeen=first_seen,\n    LastSeen=last_seen,\n    RiskScore=risk_score,\n    AlertUID=alert_uid,\n    UID=uid,\n    AssetType=asset_type,\n    AssetValue=asset_value,\n    Impact=impact,\n    Recommendation=recommendation,\n    ProviderName='CYFIRMA',\n    ProductName='DeCYFIR/DeTCT'\n| project\n    TimeGenerated,\n    Description,\n    RiskScore,\n    FirstSeen,\n    LastSeen,\n    AlertUID,\n    UID,\n    AssetType,\n    AssetValue,\n    Impact,\n    Recommendation,\n    ProductName,\n    ProviderName\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [
          "T1583.001",
          "T1204.002"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "CredentialAccess",
          "DefenseEvasion",
          "Execution",
          "ResourceDevelopment"
        ],
        "techniques": [
          "T1204",
          "T1583"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}