Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CYFIRMA - Brand Intelligence - Malicious Mobile App High Rule

Back
Id3176ac89-b195-48b7-a01e-740a6b26fb2f
RulenameCYFIRMA - Brand Intelligence - Malicious Mobile App High Rule
Description“This analytic rule detects instances where malicious or unauthorized mobile applications are discovered mimicking legitimate brand assets.

Such impersonations may be distributed through unofficial app stores or third-party websites, potentially deceiving customers, harvesting sensitive data, or damaging brand reputation.

This alert is triggered when CYFIRMA threat intelligence identifies a suspicious mobile app associated with the organization’s brand or product names.”
SeverityHigh
TacticsResourceDevelopment
Execution
DefenseEvasion
CredentialAccess
CommandAndControl
TechniquesT1406
T1414
T1437
T1583.001
T1204.002
Required data connectorsCyfirmaBrandIntelligenceAlertsDC
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Brand Intelligence/Analytic Rules/BIMaliciousMobileAppHighRule.yaml
Version1.0.0
Arm template3176ac89-b195-48b7-a01e-740a6b26fb2f.json
Deploy To Azure
// High severity - Malicious Mobile App Impersonation
let timeFrame = 5m;
CyfirmaBIMaliciousMobileAppsAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=asset_value,
    Impact=impact,
    Recommendation=recommendation,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT'
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Impact,
    Recommendation,
    ProductName,
    ProviderName
tactics:
- ResourceDevelopment
- Execution
- DefenseEvasion
- CredentialAccess
- CommandAndControl
name: CYFIRMA - Brand Intelligence - Malicious Mobile App High Rule
id: 3176ac89-b195-48b7-a01e-740a6b26fb2f
requiredDataConnectors:
- connectorId: CyfirmaBrandIntelligenceAlertsDC
  dataTypes:
  - CyfirmaBIMaliciousMobileAppsAlerts_CL
query: |
  // High severity - Malicious Mobile App Impersonation
  let timeFrame = 5m;
  CyfirmaBIMaliciousMobileAppsAlerts_CL
  | where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=asset_value,
      Impact=impact,
      Recommendation=recommendation,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT'
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Impact,
      Recommendation,
      ProductName,
      ProviderName  
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1406
- T1414
- T1437
- T1583.001
- T1204.002
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    reopenClosedIncident: false
    lookbackDuration: 5h
    enabled: false
description: |
  "This analytic rule detects instances where malicious or unauthorized mobile applications are discovered mimicking legitimate brand assets. 
  Such impersonations may be distributed through unofficial app stores or third-party websites, potentially deceiving customers, harvesting sensitive data, or damaging brand reputation. 
  This alert is triggered when CYFIRMA threat intelligence identifies a suspicious mobile app associated with the organization's brand or product names."  
triggerOperator: gt
queryPeriod: 5m
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Brand Intelligence/Analytic Rules/BIMaliciousMobileAppHighRule.yaml
version: 1.0.0
alertDetailsOverride:
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
  alertDisplayNameFormat: 'CYFIRMA - High Severity Alert: Malicious Mobile App Impersonating Brand Detected - {{AssetType}} - {{AssetValue}} '
  alertDescriptionFormat: '{{Description}} '
triggerThreshold: 0
queryFrequency: 5m
kind: Scheduled
status: Available
customDetails:
  RiskScore: RiskScore
  AssetType: AssetType
  FirstSeen: FirstSeen
  Recommendation: Recommendation
  Impact: Impact
  UID: UID
  AssetValue: AssetValue
  Description: Description
  LastSeen: LastSeen
  AlertUID: AlertUID
  TimeGenerated: TimeGenerated
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3176ac89-b195-48b7-a01e-740a6b26fb2f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3176ac89-b195-48b7-a01e-740a6b26fb2f')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{Description}} ",
          "alertDisplayNameFormat": "CYFIRMA - High Severity Alert: Malicious Mobile App Impersonating Brand Detected - {{AssetType}} - {{AssetValue}} ",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            },
            {
              "alertProperty": "ProviderName",
              "value": "ProviderName"
            }
          ]
        },
        "alertRuleTemplateName": "3176ac89-b195-48b7-a01e-740a6b26fb2f",
        "customDetails": {
          "AlertUID": "AlertUID",
          "AssetType": "AssetType",
          "AssetValue": "AssetValue",
          "Description": "Description",
          "FirstSeen": "FirstSeen",
          "Impact": "Impact",
          "LastSeen": "LastSeen",
          "Recommendation": "Recommendation",
          "RiskScore": "RiskScore",
          "TimeGenerated": "TimeGenerated",
          "UID": "UID"
        },
        "description": "\"This analytic rule detects instances where malicious or unauthorized mobile applications are discovered mimicking legitimate brand assets. \nSuch impersonations may be distributed through unofficial app stores or third-party websites, potentially deceiving customers, harvesting sensitive data, or damaging brand reputation. \nThis alert is triggered when CYFIRMA threat intelligence identifies a suspicious mobile app associated with the organization's brand or product names.\"\n",
        "displayName": "CYFIRMA - Brand Intelligence - Malicious Mobile App High Rule",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Brand Intelligence/Analytic Rules/BIMaliciousMobileAppHighRule.yaml",
        "query": "// High severity - Malicious Mobile App Impersonation\nlet timeFrame = 5m;\nCyfirmaBIMaliciousMobileAppsAlerts_CL\n| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())\n| extend\n    Description=description,\n    FirstSeen=first_seen,\n    LastSeen=last_seen,\n    RiskScore=risk_score,\n    AlertUID=alert_uid,\n    UID=uid,\n    AssetType=asset_type,\n    AssetValue=asset_value,\n    Impact=impact,\n    Recommendation=recommendation,\n    ProviderName='CYFIRMA',\n    ProductName='DeCYFIR/DeTCT'\n| project\n    TimeGenerated,\n    Description,\n    RiskScore,\n    FirstSeen,\n    LastSeen,\n    AlertUID,\n    UID,\n    AssetType,\n    AssetValue,\n    Impact,\n    Recommendation,\n    ProductName,\n    ProviderName\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [
          "T1583.001",
          "T1204.002"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "CredentialAccess",
          "DefenseEvasion",
          "Execution",
          "ResourceDevelopment"
        ],
        "techniques": [
          "T1204",
          "T1583"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}