CYFIRMA - High severity Malicious Phishing Network Indicators - Monitor Recommended Rule

//Phishing Network Indicators - Monitor Recommended
let timeFrame= 5m;
CyfirmaIndicators_CL 
| where ConfidenceScore >= 80
    and TimeGenerated between (ago(timeFrame) .. now())
    and pattern !contains 'file:hashes' and RecommendedActions has 'Monitor' and Roles has 'Phishing'
| extend IPv4 = extract(@"ipv4-addr:value\s*=\s*'([^']+)'", 1, pattern)
| extend IPv6 = extract(@"ipv6-addr:value\s*=\s*'([^']+)'", 1, pattern)
| extend URL = extract(@"url:value\s*=\s*'([^']+)'", 1, pattern)
| extend Domain = extract(@"domain-name:value\s*=\s*'([^']+)'", 1, pattern)
| extend parsed = parse_json(extensions)
| extend extensionKeys = bag_keys(parsed)
| mv-expand extensionKeys
| extend extensionKeyStr = tostring(extensionKeys)
| extend ext = parsed[extensionKeyStr]
| extend props = ext.properties
| extend 
    extension_id = extensionKeyStr,
    ASN_Owner = props.asn_owner,
    ASN = props.asn,
    ProviderName = 'CYFIRMA',
    ProductName = 'DeCYFIR/DeTCT'
| project
    IPv4,
    IPv6,
    URL,
    Domain,
    ThreatActors,
    RecommendedActions,
    Sources,
    Roles,
    Country,
    IPAbuse,
    name,
    Description,
    ConfidenceScore,
    IndicatorID,
    created,
    modified,
    valid_from,
    Tags,
    ThreatType,
    TimeGenerated,
    SecurityVendors,
    ProductName,
    ProviderName

incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    enabled: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
  createIncident: true
description: |
  "This analytics rule identifies network-based indicators such as URLs, IP addresses, and domains related to phishing campaigns, as reported by CYFIRMA threat intelligence. 
  These indicators are flagged with a recommended action to block and are categorized under the 'Phishing' role.
  Such infrastructure is often used to deliver phishing emails, host fake login portals, or redirect victims to credential-harvesting pages. 
  monitoring these indicators proactively helps prevent user compromise and data theft."  
alertDetailsOverride:
  alertDisplayNameFormat: 'High-Confidence Malicious Phishing Network Indicators - Monitor Recommended - {{name}} '
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
  alertDescriptionFormat: '{{Description}} - {{name}} '
query: |
  //Phishing Network Indicators - Monitor Recommended
  let timeFrame= 5m;
  CyfirmaIndicators_CL 
  | where ConfidenceScore >= 80
      and TimeGenerated between (ago(timeFrame) .. now())
      and pattern !contains 'file:hashes' and RecommendedActions has 'Monitor' and Roles has 'Phishing'
  | extend IPv4 = extract(@"ipv4-addr:value\s*=\s*'([^']+)'", 1, pattern)
  | extend IPv6 = extract(@"ipv6-addr:value\s*=\s*'([^']+)'", 1, pattern)
  | extend URL = extract(@"url:value\s*=\s*'([^']+)'", 1, pattern)
  | extend Domain = extract(@"domain-name:value\s*=\s*'([^']+)'", 1, pattern)
  | extend parsed = parse_json(extensions)
  | extend extensionKeys = bag_keys(parsed)
  | mv-expand extensionKeys
  | extend extensionKeyStr = tostring(extensionKeys)
  | extend ext = parsed[extensionKeyStr]
  | extend props = ext.properties
  | extend 
      extension_id = extensionKeyStr,
      ASN_Owner = props.asn_owner,
      ASN = props.asn,
      ProviderName = 'CYFIRMA',
      ProductName = 'DeCYFIR/DeTCT'
  | project
      IPv4,
      IPv6,
      URL,
      Domain,
      ThreatActors,
      RecommendedActions,
      Sources,
      Roles,
      Country,
      IPAbuse,
      name,
      Description,
      ConfidenceScore,
      IndicatorID,
      created,
      modified,
      valid_from,
      Tags,
      ThreatType,
      TimeGenerated,
      SecurityVendors,
      ProductName,
      ProviderName  
eventGroupingSettings:
  aggregationKind: AlertPerResult
requiredDataConnectors:
- dataTypes:
  - CyfirmaIndicators_CL
  connectorId: CyfirmaCyberIntelligenceDC
name: CYFIRMA - High severity Malicious Phishing Network Indicators - Monitor Recommended Rule
relevantTechniques:
- T1566
- T1204
- T1556
- T1110
- T1041
- T1566.001
- T1566.002
- T1204.001
- T1556.002
- T1110.003
suppressionDuration: 5m
enabled: false
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPv4
    identifier: Address
- entityType: IP
  fieldMappings:
  - columnName: IPv6
    identifier: Address
- entityType: DNS
  fieldMappings:
  - columnName: Domain
    identifier: DomainName
- entityType: URL
  fieldMappings:
  - columnName: URL
    identifier: Url
tactics:
- InitialAccess
- Execution
- CredentialAccess
- Exfiltration
queryPeriod: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/PhishingNetworkIndicatorsMonitorHighSeverityRule.yaml
triggerThreshold: 0
severity: High
kind: Scheduled
suppressionEnabled: true
queryFrequency: 5m
id: 359e2afb-b6d4-45db-90aa-c89ce7234d72
version: 1.0.1
customDetails:
  TimeGenerated: TimeGenerated
  Description: Description
  IndicatorID: IndicatorID
  RecommendedActions: RecommendedActions
  ConfidenceScore: ConfidenceScore
  SecurityVendors: SecurityVendors
  Created: created
  ValidFrom: valid_from
  Sources: Sources
  ThreatType: ThreatType
  Country: Country
  Modified: modified
  IPAbuse: IPAbuse
  Roles: Roles
  Tags: Tags
  ThreatActors: ThreatActors
triggerOperator: GreaterThan