CYFIRMA - Social and Public Exposure - Social Media Threats Activity Detected Rule
Id | 4fe04459-13f1-4ff7-9b7c-f9be0c2aad6d |
Rulename | CYFIRMA - Social and Public Exposure - Social Media Threats Activity Detected Rule |
Description | “This rule detects high-severity social threat alerts from CYFIRMA related to impersonation, fake profiles, or malicious activities on social platforms that may target executives, brands, or employees. These threats can result in reputational damage, phishing, or social engineering attacks. Immediate investigation and takedown are recommended to minimize risk.” |
Severity | High |
Tactics | ResourceDevelopment Reconnaissance InitialAccess Impact |
Techniques | T1585.001 T1593 T1566 T1582 T1491 |
Required data connectors | CyfirmaDigitalRiskAlertsConnector |
Kind | Scheduled |
Query frequency | 5m |
Query period | 5m |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPESocialMediaThreatsHighRule.yaml |
Version | 1.0.0 |
Arm template | 4fe04459-13f1-4ff7-9b7c-f9be0c2aad6d.json |
// High severity - Social and Public Exposure - Social Media Threats Activity Detected
let timeFrame = 5m;
CyfirmaSPESocialThreatAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
AssetType=asset_type,
AssetValue=signature,
Source=source,
Impact=impact,
Recommendation=recommendation,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT',
AlertTitle=Alert_title
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
AssetType,
AssetValue,
Source,
Impact,
Recommendation,
ProductName,
ProviderName,
AlertTitle
requiredDataConnectors:
- connectorId: CyfirmaDigitalRiskAlertsConnector
dataTypes:
- CyfirmaSPESocialThreatAlerts_CL
tactics:
- ResourceDevelopment
- Reconnaissance
- InitialAccess
- Impact
eventGroupingSettings:
aggregationKind: AlertPerResult
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: false
lookbackDuration: 5h
matchingMethod: AllEntities
reopenClosedIncident: false
description: |
"This rule detects high-severity social threat alerts from CYFIRMA related to impersonation, fake profiles, or malicious activities on social platforms that may target executives, brands, or employees.
These threats can result in reputational damage, phishing, or social engineering attacks.
Immediate investigation and takedown are recommended to minimize risk."
query: |
// High severity - Social and Public Exposure - Social Media Threats Activity Detected
let timeFrame = 5m;
CyfirmaSPESocialThreatAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
AssetType=asset_type,
AssetValue=signature,
Source=source,
Impact=impact,
Recommendation=recommendation,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT',
AlertTitle=Alert_title
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
AssetType,
AssetValue,
Source,
Impact,
Recommendation,
ProductName,
ProviderName,
AlertTitle
id: 4fe04459-13f1-4ff7-9b7c-f9be0c2aad6d
triggerOperator: gt
alertDetailsOverride:
alertDisplayNameFormat: 'CYFIRMA - High Severity Alert: Social Media Threat Activity Detected - {{AlertTitle}} '
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: ProviderName
value: ProviderName
alertDescriptionFormat: '{{Description}} '
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPESocialMediaThreatsHighRule.yaml
queryFrequency: 5m
severity: High
name: CYFIRMA - Social and Public Exposure - Social Media Threats Activity Detected Rule
queryPeriod: 5m
relevantTechniques:
- T1585.001
- T1593
- T1566
- T1582
- T1491
kind: Scheduled
triggerThreshold: 0
version: 1.0.0
customDetails:
TimeGenerated: TimeGenerated
UID: UID
AssetType: AssetType
Impact: Impact
Description: Description
LastSeen: LastSeen
AssetValue: AssetValue
FirstSeen: FirstSeen
RiskScore: RiskScore
AlertUID: AlertUID
Recommendation: Recommendation
Source: Source
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4fe04459-13f1-4ff7-9b7c-f9be0c2aad6d')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4fe04459-13f1-4ff7-9b7c-f9be0c2aad6d')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{Description}} ",
"alertDisplayNameFormat": "CYFIRMA - High Severity Alert: Social Media Threat Activity Detected - {{AlertTitle}} ",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "4fe04459-13f1-4ff7-9b7c-f9be0c2aad6d",
"customDetails": {
"AlertUID": "AlertUID",
"AssetType": "AssetType",
"AssetValue": "AssetValue",
"Description": "Description",
"FirstSeen": "FirstSeen",
"Impact": "Impact",
"LastSeen": "LastSeen",
"Recommendation": "Recommendation",
"RiskScore": "RiskScore",
"Source": "Source",
"TimeGenerated": "TimeGenerated",
"UID": "UID"
},
"description": "\"This rule detects high-severity social threat alerts from CYFIRMA related to impersonation, fake profiles, or malicious activities on social platforms that may target executives, brands, or employees. \nThese threats can result in reputational damage, phishing, or social engineering attacks. \nImmediate investigation and takedown are recommended to minimize risk.\"\n",
"displayName": "CYFIRMA - Social and Public Exposure - Social Media Threats Activity Detected Rule",
"enabled": true,
"entityMappings": null,
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPESocialMediaThreatsHighRule.yaml",
"query": "// High severity - Social and Public Exposure - Social Media Threats Activity Detected\nlet timeFrame = 5m;\nCyfirmaSPESocialThreatAlerts_CL\n| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())\n| extend\n Description=description,\n FirstSeen=first_seen,\n LastSeen=last_seen,\n RiskScore=risk_score,\n AlertUID=alert_uid,\n UID=uid,\n AssetType=asset_type,\n AssetValue=signature,\n Source=source,\n Impact=impact,\n Recommendation=recommendation,\n ProviderName='CYFIRMA',\n ProductName='DeCYFIR/DeTCT',\n AlertTitle=Alert_title\n| project\n TimeGenerated,\n Description,\n RiskScore,\n FirstSeen,\n LastSeen,\n AlertUID,\n UID,\n AssetType,\n AssetValue,\n Source,\n Impact,\n Recommendation,\n ProductName,\n ProviderName,\n AlertTitle\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"status": "Available",
"subTechniques": [
"T1585.001"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Impact",
"InitialAccess",
"Reconnaissance",
"ResourceDevelopment"
],
"techniques": [
"T1491",
"T1566",
"T1585",
"T1593"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}