CYFIRMA - Social and Public Exposure - Social Media Threats Activity Detected Rule
| Id | 4fe04459-13f1-4ff7-9b7c-f9be0c2aad6d |
| Rulename | CYFIRMA - Social and Public Exposure - Social Media Threats Activity Detected Rule |
| Description | “This rule detects high-severity social threat alerts from CYFIRMA related to impersonation, fake profiles, or malicious activities on social platforms that may target executives, brands, or employees. These threats can result in reputational damage, phishing, or social engineering attacks. Immediate investigation and takedown are recommended to minimize risk.” |
| Severity | High |
| Tactics | ResourceDevelopment Reconnaissance InitialAccess Impact |
| Techniques | T1585.001 T1593 T1566 T1582 T1491 |
| Required data connectors | CyfirmaDigitalRiskAlertsConnector |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPESocialMediaThreatsHighRule.yaml |
| Version | 1.0.1 |
| Arm template | 4fe04459-13f1-4ff7-9b7c-f9be0c2aad6d.json |
// High severity - Social and Public Exposure - Social Media Threats Activity Detected
let timeFrame = 5m;
CyfirmaSPESocialThreatAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
AssetType=asset_type,
AssetValue=signature,
Source=source,
Impact=impact,
Recommendation=recommendation,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT',
AlertTitle=Alert_title
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
AssetType,
AssetValue,
Source,
Impact,
Recommendation,
ProductName,
ProviderName,
AlertTitle
kind: Scheduled
customDetails:
Description: Description
AlertUID: AlertUID
LastSeen: LastSeen
Source: Source
TimeGenerated: TimeGenerated
FirstSeen: FirstSeen
RiskScore: RiskScore
Recommendation: Recommendation
AssetValue: AssetValue
Impact: Impact
AssetType: AssetType
UID: UID
alertDetailsOverride:
alertDisplayNameFormat: 'CYFIRMA - High Severity Alert: Social Media Threat Activity Detected - {{AlertTitle}} '
alertDescriptionFormat: '{{Description}} '
alertDynamicProperties:
- value: ProductName
alertProperty: ProductName
- value: ProviderName
alertProperty: ProviderName
description: |
"This rule detects high-severity social threat alerts from CYFIRMA related to impersonation, fake profiles, or malicious activities on social platforms that may target executives, brands, or employees.
These threats can result in reputational damage, phishing, or social engineering attacks.
Immediate investigation and takedown are recommended to minimize risk."
severity: High
queryFrequency: 5m
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
matchingMethod: AllEntities
lookbackDuration: PT5H
enabled: false
createIncident: true
triggerThreshold: 0
relevantTechniques:
- T1585.001
- T1593
- T1566
- T1582
- T1491
eventGroupingSettings:
aggregationKind: AlertPerResult
status: Available
version: 1.0.1
name: CYFIRMA - Social and Public Exposure - Social Media Threats Activity Detected Rule
id: 4fe04459-13f1-4ff7-9b7c-f9be0c2aad6d
query: |
// High severity - Social and Public Exposure - Social Media Threats Activity Detected
let timeFrame = 5m;
CyfirmaSPESocialThreatAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
AssetType=asset_type,
AssetValue=signature,
Source=source,
Impact=impact,
Recommendation=recommendation,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT',
AlertTitle=Alert_title
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
AssetType,
AssetValue,
Source,
Impact,
Recommendation,
ProductName,
ProviderName,
AlertTitle
requiredDataConnectors:
- dataTypes:
- CyfirmaSPESocialThreatAlerts_CL
connectorId: CyfirmaDigitalRiskAlertsConnector
tactics:
- ResourceDevelopment
- Reconnaissance
- InitialAccess
- Impact
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPESocialMediaThreatsHighRule.yaml
queryPeriod: 5m
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4fe04459-13f1-4ff7-9b7c-f9be0c2aad6d')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4fe04459-13f1-4ff7-9b7c-f9be0c2aad6d')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{Description}} ",
"alertDisplayNameFormat": "CYFIRMA - High Severity Alert: Social Media Threat Activity Detected - {{AlertTitle}} ",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "4fe04459-13f1-4ff7-9b7c-f9be0c2aad6d",
"customDetails": {
"AlertUID": "AlertUID",
"AssetType": "AssetType",
"AssetValue": "AssetValue",
"Description": "Description",
"FirstSeen": "FirstSeen",
"Impact": "Impact",
"LastSeen": "LastSeen",
"Recommendation": "Recommendation",
"RiskScore": "RiskScore",
"Source": "Source",
"TimeGenerated": "TimeGenerated",
"UID": "UID"
},
"description": "\"This rule detects high-severity social threat alerts from CYFIRMA related to impersonation, fake profiles, or malicious activities on social platforms that may target executives, brands, or employees. \nThese threats can result in reputational damage, phishing, or social engineering attacks. \nImmediate investigation and takedown are recommended to minimize risk.\"\n",
"displayName": "CYFIRMA - Social and Public Exposure - Social Media Threats Activity Detected Rule",
"enabled": true,
"entityMappings": null,
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPESocialMediaThreatsHighRule.yaml",
"query": "// High severity - Social and Public Exposure - Social Media Threats Activity Detected\nlet timeFrame = 5m;\nCyfirmaSPESocialThreatAlerts_CL\n| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())\n| extend\n Description=description,\n FirstSeen=first_seen,\n LastSeen=last_seen,\n RiskScore=risk_score,\n AlertUID=alert_uid,\n UID=uid,\n AssetType=asset_type,\n AssetValue=signature,\n Source=source,\n Impact=impact,\n Recommendation=recommendation,\n ProviderName='CYFIRMA',\n ProductName='DeCYFIR/DeTCT',\n AlertTitle=Alert_title\n| project\n TimeGenerated,\n Description,\n RiskScore,\n FirstSeen,\n LastSeen,\n AlertUID,\n UID,\n AssetType,\n AssetValue,\n Source,\n Impact,\n Recommendation,\n ProductName,\n ProviderName,\n AlertTitle\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"status": "Available",
"subTechniques": [
"T1585.001"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Impact",
"InitialAccess",
"Reconnaissance",
"ResourceDevelopment"
],
"techniques": [
"T1491",
"T1566",
"T1585",
"T1593"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}