Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CYFIRMA - Social and Public Exposure - Social Media Threats Activity Detected Rule

Back
Id4fe04459-13f1-4ff7-9b7c-f9be0c2aad6d
RulenameCYFIRMA - Social and Public Exposure - Social Media Threats Activity Detected Rule
Description“This rule detects high-severity social threat alerts from CYFIRMA related to impersonation, fake profiles, or malicious activities on social platforms that may target executives, brands, or employees.

These threats can result in reputational damage, phishing, or social engineering attacks.

Immediate investigation and takedown are recommended to minimize risk.”
SeverityHigh
TacticsResourceDevelopment
Reconnaissance
InitialAccess
Impact
TechniquesT1585.001
T1593
T1566
T1582
T1491
Required data connectorsCyfirmaDigitalRiskAlertsConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPESocialMediaThreatsHighRule.yaml
Version1.0.0
Arm template4fe04459-13f1-4ff7-9b7c-f9be0c2aad6d.json
Deploy To Azure
// High severity - Social and Public Exposure - Social Media Threats Activity Detected
let timeFrame = 5m;
CyfirmaSPESocialThreatAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=signature,
    Source=source,
    Impact=impact,
    Recommendation=recommendation,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT',
    AlertTitle=Alert_title
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Source,
    Impact,
    Recommendation,
    ProductName,
    ProviderName,
    AlertTitle
tactics:
- ResourceDevelopment
- Reconnaissance
- InitialAccess
- Impact
name: CYFIRMA - Social and Public Exposure -  Social Media Threats  Activity Detected Rule
id: 4fe04459-13f1-4ff7-9b7c-f9be0c2aad6d
requiredDataConnectors:
- connectorId: CyfirmaDigitalRiskAlertsConnector
  dataTypes:
  - CyfirmaSPESocialThreatAlerts_CL
query: |
  // High severity - Social and Public Exposure - Social Media Threats Activity Detected
  let timeFrame = 5m;
  CyfirmaSPESocialThreatAlerts_CL
  | where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=signature,
      Source=source,
      Impact=impact,
      Recommendation=recommendation,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT',
      AlertTitle=Alert_title
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Source,
      Impact,
      Recommendation,
      ProductName,
      ProviderName,
      AlertTitle  
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1585.001
- T1593
- T1566
- T1582
- T1491
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    reopenClosedIncident: false
    lookbackDuration: 5h
    enabled: false
description: |
  "This rule detects high-severity social threat alerts from CYFIRMA related to impersonation, fake profiles, or malicious activities on social platforms that may target executives, brands, or employees. 
  These threats can result in reputational damage, phishing, or social engineering attacks. 
  Immediate investigation and takedown are recommended to minimize risk."  
triggerOperator: gt
queryPeriod: 5m
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPESocialMediaThreatsHighRule.yaml
version: 1.0.0
alertDetailsOverride:
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
  alertDisplayNameFormat: 'CYFIRMA - High Severity Alert: Social Media Threat Activity Detected - {{AlertTitle}} '
  alertDescriptionFormat: '{{Description}} '
triggerThreshold: 0
queryFrequency: 5m
kind: Scheduled
status: Available
customDetails:
  Source: Source
  Impact: Impact
  AssetType: AssetType
  AssetValue: AssetValue
  TimeGenerated: TimeGenerated
  Description: Description
  AlertUID: AlertUID
  Recommendation: Recommendation
  UID: UID
  LastSeen: LastSeen
  RiskScore: RiskScore
  FirstSeen: FirstSeen
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4fe04459-13f1-4ff7-9b7c-f9be0c2aad6d')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4fe04459-13f1-4ff7-9b7c-f9be0c2aad6d')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{Description}} ",
          "alertDisplayNameFormat": "CYFIRMA - High Severity Alert: Social Media Threat Activity Detected - {{AlertTitle}} ",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            },
            {
              "alertProperty": "ProviderName",
              "value": "ProviderName"
            }
          ]
        },
        "alertRuleTemplateName": "4fe04459-13f1-4ff7-9b7c-f9be0c2aad6d",
        "customDetails": {
          "AlertUID": "AlertUID",
          "AssetType": "AssetType",
          "AssetValue": "AssetValue",
          "Description": "Description",
          "FirstSeen": "FirstSeen",
          "Impact": "Impact",
          "LastSeen": "LastSeen",
          "Recommendation": "Recommendation",
          "RiskScore": "RiskScore",
          "Source": "Source",
          "TimeGenerated": "TimeGenerated",
          "UID": "UID"
        },
        "description": "\"This rule detects high-severity social threat alerts from CYFIRMA related to impersonation, fake profiles, or malicious activities on social platforms that may target executives, brands, or employees. \nThese threats can result in reputational damage, phishing, or social engineering attacks. \nImmediate investigation and takedown are recommended to minimize risk.\"\n",
        "displayName": "CYFIRMA - Social and Public Exposure -  Social Media Threats  Activity Detected Rule",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPESocialMediaThreatsHighRule.yaml",
        "query": "// High severity - Social and Public Exposure - Social Media Threats Activity Detected\nlet timeFrame = 5m;\nCyfirmaSPESocialThreatAlerts_CL\n| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())\n| extend\n    Description=description,\n    FirstSeen=first_seen,\n    LastSeen=last_seen,\n    RiskScore=risk_score,\n    AlertUID=alert_uid,\n    UID=uid,\n    AssetType=asset_type,\n    AssetValue=signature,\n    Source=source,\n    Impact=impact,\n    Recommendation=recommendation,\n    ProviderName='CYFIRMA',\n    ProductName='DeCYFIR/DeTCT',\n    AlertTitle=Alert_title\n| project\n    TimeGenerated,\n    Description,\n    RiskScore,\n    FirstSeen,\n    LastSeen,\n    AlertUID,\n    UID,\n    AssetType,\n    AssetValue,\n    Source,\n    Impact,\n    Recommendation,\n    ProductName,\n    ProviderName,\n    AlertTitle\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [
          "T1585.001"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact",
          "InitialAccess",
          "Reconnaissance",
          "ResourceDevelopment"
        ],
        "techniques": [
          "T1491",
          "T1566",
          "T1585",
          "T1593"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}