Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CYFIRMA - Brand Intelligence - ProductSolution High Rule

Back
Id3a9a81bc-2f41-4d68-9cd1-7788326c92b1
RulenameCYFIRMA - Brand Intelligence - Product/Solution High Rule
Description“This alert is raised when CYFIRMA detects a critical reputation score for an IP address linked to your infrastructure.

The IP has been previously associated with hacking activity and web application attacks.

Denied outbound traffic to a foreign country from a known Microsoft data center IP suggests potential misuse or compromise of cloud infrastructure.”
SeverityHigh
TacticsResourceDevelopment
InitialAccess
TechniquesT1585.002
T1583.001
T1566
T1583
Required data connectorsCyfirmaBrandIntelligenceAlertsDC
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Brand Intelligence/Analytic Rules/BIProductSolutionHighRule.yaml
Version1.0.0
Arm template3a9a81bc-2f41-4d68-9cd1-7788326c92b1.json
Deploy To Azure
// High severity - Product/Solution Impersonation
let timeFrame = 5m;
CyfirmaBIProductSolutionAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=asset_value,
    Impact=impact,
    Recommendation=recommendation,
    SourceSype=source_type,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT'
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Impact,
    Recommendation,
    SourceSype,
    ProductName,
    ProviderName
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Brand Intelligence/Analytic Rules/BIProductSolutionHighRule.yaml
triggerThreshold: 0
severity: High
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 5h
    enabled: false
    matchingMethod: AllEntities
    reopenClosedIncident: false
queryFrequency: 5m
status: Available
customDetails:
  TimeGenerated: TimeGenerated
  FirstSeen: FirstSeen
  Recommendation: Recommendation
  RiskScore: RiskScore
  AssetType: AssetType
  LastSeen: LastSeen
  Impact: Impact
  AlertUID: AlertUID
  SourceSype: SourceSype
  Description: Description
  AssetValue: AssetValue
  UID: UID
relevantTechniques:
- T1585.002
- T1583.001
- T1566
- T1583
alertDetailsOverride:
  alertDisplayNameFormat: 'CYFIRMA - Brand Impersonation Detected for Product/Solution - High Severity - {{AssetType}} : {{AssetValue}} '
  alertDescriptionFormat: '{{Description}} '
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
triggerOperator: gt
id: 3a9a81bc-2f41-4d68-9cd1-7788326c92b1
requiredDataConnectors:
- connectorId: CyfirmaBrandIntelligenceAlertsDC
  dataTypes:
  - CyfirmaBIProductSolutionAlerts_CL
version: 1.0.0
name: CYFIRMA - Brand Intelligence - Product/Solution High Rule
eventGroupingSettings:
  aggregationKind: AlertPerResult
description: |
  "This alert is raised when CYFIRMA detects a critical reputation score for an IP address linked to your infrastructure. 
  The IP has been previously associated with hacking activity and web application attacks. 
  Denied outbound traffic to a foreign country from a known Microsoft data center IP suggests potential misuse or compromise of cloud infrastructure."  
query: |
  // High severity - Product/Solution Impersonation
  let timeFrame = 5m;
  CyfirmaBIProductSolutionAlerts_CL
  | where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=asset_value,
      Impact=impact,
      Recommendation=recommendation,
      SourceSype=source_type,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT'
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Impact,
      Recommendation,
      SourceSype,
      ProductName,
      ProviderName  
tactics:
- ResourceDevelopment
- InitialAccess
queryPeriod: 5m
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3a9a81bc-2f41-4d68-9cd1-7788326c92b1')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3a9a81bc-2f41-4d68-9cd1-7788326c92b1')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{Description}} ",
          "alertDisplayNameFormat": "CYFIRMA - Brand Impersonation Detected for Product/Solution - High Severity - {{AssetType}} : {{AssetValue}} ",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            },
            {
              "alertProperty": "ProviderName",
              "value": "ProviderName"
            }
          ]
        },
        "alertRuleTemplateName": "3a9a81bc-2f41-4d68-9cd1-7788326c92b1",
        "customDetails": {
          "AlertUID": "AlertUID",
          "AssetType": "AssetType",
          "AssetValue": "AssetValue",
          "Description": "Description",
          "FirstSeen": "FirstSeen",
          "Impact": "Impact",
          "LastSeen": "LastSeen",
          "Recommendation": "Recommendation",
          "RiskScore": "RiskScore",
          "SourceSype": "SourceSype",
          "TimeGenerated": "TimeGenerated",
          "UID": "UID"
        },
        "description": "\"This alert is raised when CYFIRMA detects a critical reputation score for an IP address linked to your infrastructure. \nThe IP has been previously associated with hacking activity and web application attacks. \nDenied outbound traffic to a foreign country from a known Microsoft data center IP suggests potential misuse or compromise of cloud infrastructure.\"\n",
        "displayName": "CYFIRMA - Brand Intelligence - Product/Solution High Rule",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Brand Intelligence/Analytic Rules/BIProductSolutionHighRule.yaml",
        "query": "// High severity - Product/Solution Impersonation\nlet timeFrame = 5m;\nCyfirmaBIProductSolutionAlerts_CL\n| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())\n| extend\n    Description=description,\n    FirstSeen=first_seen,\n    LastSeen=last_seen,\n    RiskScore=risk_score,\n    AlertUID=alert_uid,\n    UID=uid,\n    AssetType=asset_type,\n    AssetValue=asset_value,\n    Impact=impact,\n    Recommendation=recommendation,\n    SourceSype=source_type,\n    ProviderName='CYFIRMA',\n    ProductName='DeCYFIR/DeTCT'\n| project\n    TimeGenerated,\n    Description,\n    RiskScore,\n    FirstSeen,\n    LastSeen,\n    AlertUID,\n    UID,\n    AssetType,\n    AssetValue,\n    Impact,\n    Recommendation,\n    SourceSype,\n    ProductName,\n    ProviderName\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [
          "T1585.002",
          "T1583.001"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess",
          "ResourceDevelopment"
        ],
        "techniques": [
          "T1566",
          "T1583",
          "T1585"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}