CYFIRMA - Social and Public Exposure - Social Media Threats Activity Detected Rule

// High severity - Social and Public Exposure - Social Media Threats Activity Detected
let timeFrame = 5m;
CyfirmaSPESocialThreatAlerts_CL
| where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=signature,
    Source=source,
    Impact=impact,
    Recommendation=recommendation,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT',
    AlertTitle=Alert_title
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Source,
    Impact,
    Recommendation,
    ProductName,
    ProviderName,
    AlertTitle

queryFrequency: 5m
id: 4fe04459-13f1-4ff7-9b7c-f9be0c2aad6d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPESocialMediaThreatsHighRule.yaml
requiredDataConnectors:
- connectorId: CyfirmaDigitalRiskAlertsConnector
  dataTypes:
  - CyfirmaSPESocialThreatAlerts_CL
name: CYFIRMA - Social and Public Exposure -  Social Media Threats  Activity Detected Rule
triggerOperator: gt
alertDetailsOverride:
  alertDisplayNameFormat: 'CYFIRMA - High Severity Alert: Social Media Threat Activity Detected - {{AlertTitle}} '
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
  alertDescriptionFormat: '{{Description}} '
status: Available
tactics:
- ResourceDevelopment
- Reconnaissance
- InitialAccess
- Impact
kind: Scheduled
description: |
  "This rule detects high-severity social threat alerts from CYFIRMA related to impersonation, fake profiles, or malicious activities on social platforms that may target executives, brands, or employees. 
  These threats can result in reputational damage, phishing, or social engineering attacks. 
  Immediate investigation and takedown are recommended to minimize risk."  
version: 1.0.1
customDetails:
  AssetValue: AssetValue
  FirstSeen: FirstSeen
  UID: UID
  Source: Source
  Impact: Impact
  LastSeen: LastSeen
  AssetType: AssetType
  Description: Description
  TimeGenerated: TimeGenerated
  RiskScore: RiskScore
  AlertUID: AlertUID
  Recommendation: Recommendation
relevantTechniques:
- T1585.001
- T1593
- T1566
- T1582
- T1491
queryPeriod: 5m
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: AllEntities
    enabled: false
  createIncident: true
severity: High
triggerThreshold: 0
query: |
  // High severity - Social and Public Exposure - Social Media Threats Activity Detected
  let timeFrame = 5m;
  CyfirmaSPESocialThreatAlerts_CL
  | where severity == 'Critical' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=signature,
      Source=source,
      Impact=impact,
      Recommendation=recommendation,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT',
      AlertTitle=Alert_title
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Source,
      Impact,
      Recommendation,
      ProductName,
      ProviderName,
      AlertTitle  
eventGroupingSettings:
  aggregationKind: AlertPerResult