CYFIRMA - Medium severity Malicious Phishing Network Indicators - Block Recommended Rule

//Malicious Phishing Network Indicators - Block Recommended
let timeFrame= 5m;
CyfirmaIndicators_CL 
| where (ConfidenceScore < 80 and ConfidenceScore >= 50)
    and TimeGenerated between (ago(timeFrame) .. now())
    and pattern !contains 'file:hashes' and RecommendedActions has 'Block' and Roles has 'Phishing'
| extend IPv4 = extract(@"ipv4-addr:value\s*=\s*'([^']+)'", 1, pattern)
| extend IPv6 = extract(@"ipv6-addr:value\s*=\s*'([^']+)'", 1, pattern)
| extend URL = extract(@"url:value\s*=\s*'([^']+)'", 1, pattern)
| extend Domain = extract(@"domain-name:value\s*=\s*'([^']+)'", 1, pattern)
| extend parsed = parse_json(extensions)
| extend extensionKeys = bag_keys(parsed)
| mv-expand extensionKeys
| extend extensionKeyStr = tostring(extensionKeys)
| extend ext = parsed[extensionKeyStr]
| extend props = ext.properties
| extend 
    extension_id = extensionKeyStr,
    ASN_Owner = props.asn_owner,
    ASN = props.asn,
    ProviderName = 'CYFIRMA',
    ProductName = 'DeCYFIR/DeTCT'
| project
    IPv4,
    IPv6,
    URL,
    Domain,
    ThreatActors,
    RecommendedActions,
    Sources,
    Roles,
    Country,
    IPAbuse,
    name,
    Description,
    ConfidenceScore,
    IndicatorID,
    created,
    modified,
    valid_from,
    Tags,
    ThreatType,
    TimeGenerated,
    SecurityVendors,
    ProductName,
    ProviderName

description: |
  "This analytics rule identifies network indicators such as URLs, IP addresses, and domains related to phishing campaigns, as reported by CYFIRMA threat intelligence. 
  These indicators are flagged with a recommended action to block and are categorized under the 'Phishing' role.
  Such infrastructure is often used to deliver phishing emails, host fake login portals, or redirect victims to credential-harvesting pages. 
  Blocking these indicators proactively helps prevent user compromise and data theft."  
tactics:
- InitialAccess
- Execution
- CredentialAccess
- Exfiltration
suppressionEnabled: true
suppressionDuration: 5m
requiredDataConnectors:
- dataTypes:
  - CyfirmaIndicators_CL
  connectorId: CyfirmaCyberIntelligenceDC
alertDetailsOverride:
  alertDisplayNameFormat: 'High-Confidence Malicious Phishing Network Indicators - Block Recommended - {{name}} '
  alertDescriptionFormat: '{{Description}} - {{name}} '
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
incidentConfiguration:
  groupingConfiguration:
    enabled: false
    lookbackDuration: PT5H
    reopenClosedIncident: false
    matchingMethod: AllEntities
  createIncident: true
id: 5468e012-6681-44fb-be2d-b1cd58b62ac7
severity: Medium
eventGroupingSettings:
  aggregationKind: AlertPerResult
customDetails:
  Tags: Tags
  TimeGenerated: TimeGenerated
  SecurityVendors: SecurityVendors
  Country: Country
  ThreatActors: ThreatActors
  Roles: Roles
  ThreatType: ThreatType
  ValidFrom: valid_from
  IndicatorID: IndicatorID
  RecommendedActions: RecommendedActions
  Sources: Sources
  Description: Description
  IPAbuse: IPAbuse
  ConfidenceScore: ConfidenceScore
  Created: created
  Modified: modified
query: |
  //Malicious Phishing Network Indicators - Block Recommended
  let timeFrame= 5m;
  CyfirmaIndicators_CL 
  | where (ConfidenceScore < 80 and ConfidenceScore >= 50)
      and TimeGenerated between (ago(timeFrame) .. now())
      and pattern !contains 'file:hashes' and RecommendedActions has 'Block' and Roles has 'Phishing'
  | extend IPv4 = extract(@"ipv4-addr:value\s*=\s*'([^']+)'", 1, pattern)
  | extend IPv6 = extract(@"ipv6-addr:value\s*=\s*'([^']+)'", 1, pattern)
  | extend URL = extract(@"url:value\s*=\s*'([^']+)'", 1, pattern)
  | extend Domain = extract(@"domain-name:value\s*=\s*'([^']+)'", 1, pattern)
  | extend parsed = parse_json(extensions)
  | extend extensionKeys = bag_keys(parsed)
  | mv-expand extensionKeys
  | extend extensionKeyStr = tostring(extensionKeys)
  | extend ext = parsed[extensionKeyStr]
  | extend props = ext.properties
  | extend 
      extension_id = extensionKeyStr,
      ASN_Owner = props.asn_owner,
      ASN = props.asn,
      ProviderName = 'CYFIRMA',
      ProductName = 'DeCYFIR/DeTCT'
  | project
      IPv4,
      IPv6,
      URL,
      Domain,
      ThreatActors,
      RecommendedActions,
      Sources,
      Roles,
      Country,
      IPAbuse,
      name,
      Description,
      ConfidenceScore,
      IndicatorID,
      created,
      modified,
      valid_from,
      Tags,
      ThreatType,
      TimeGenerated,
      SecurityVendors,
      ProductName,
      ProviderName  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/PhishingNetworkIndicatorsBlockMediumSeverityRule.yaml
kind: Scheduled
queryPeriod: 5m
enabled: false
name: CYFIRMA - Medium severity Malicious Phishing Network Indicators - Block Recommended Rule
queryFrequency: 5m
triggerThreshold: 0
relevantTechniques:
- T1566
- T1204
- T1556
- T1110
- T1041
- T1566.001
- T1566.002
- T1204.001
- T1556.002
- T1110.003
version: 1.0.1
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPv4
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPv6
- entityType: DNS
  fieldMappings:
  - identifier: DomainName
    columnName: Domain
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: URL
triggerOperator: GreaterThan