CYFIRMA - Public Accounts Leaks Detection Rule
| Id | 57602938-e95a-4fc3-9352-8d473ed256e1 |
| Rulename | CYFIRMA - Public Accounts Leaks Detection Rule |
| Description | “Detects exposed public-facing account credentials as identified in CYFIRMA’s threat intelligence feeds. This rule monitors for credentials leaked through third-party breaches, dark web sources, or public repositories that could impact the organization’s users or systems. It captures key details such as email, username, IP address, and associated devices. These accounts may not be directly managed by the enterprise but still pose a risk of lateral access, shadow IT, or third-party exposure.” |
| Severity | High |
| Tactics | CredentialAccess InitialAccess Discovery |
| Techniques | T1078 T1087 T1552 |
| Required data connectors | CyfirmaCompromisedAccountsDataConnector |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/PublicAccountsLeaksRule.yaml |
| Version | 1.0.1 |
| Arm template | 57602938-e95a-4fc3-9352-8d473ed256e1.json |
// Public Accounts Leaks - Latest per UID
let timeFrame = 5m;
CyfirmaCompromisedAccounts_CL
| where TimeGenerated between (ago(timeFrame) .. now())
and Category has "Public Accounts Leaks"
| extend
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| summarize arg_max(TimeGenerated,
email,
user_name,
password,
url,
ip,
computer_name,
operating_system,
breach_date,
first_seen,
last_seen,
impact,
recommendations,
description,
source,
ProductName,
ProviderName
) by uid
| sort by TimeGenerated desc
kind: Scheduled
customDetails:
UID: uid
Description: description
BreachDate: breach_date
TimeGenerated: TimeGenerated
Impact: impact
FirstSeen: first_seen
Recommendations: recommendations
Source: source
LastSeen: last_seen
suppressionDuration: 6h
entityMappings:
- entityType: Account
fieldMappings:
- columnName: user_name
identifier: Name
- columnName: email
identifier: UPNSuffix
- entityType: Host
fieldMappings:
- columnName: computer_name
identifier: HostName
- columnName: operating_system
identifier: OSVersion
- entityType: IP
fieldMappings:
- columnName: ip
identifier: Address
- entityType: URL
fieldMappings:
- columnName: url
identifier: Url
description: |
"Detects exposed public-facing account credentials as identified in CYFIRMA's threat intelligence feeds.
This rule monitors for credentials leaked through third-party breaches, dark web sources, or public repositories that could impact the organization's users or systems.
It captures key details such as email, username, IP address, and associated devices. These accounts may not be directly managed by the enterprise but still pose a risk of lateral access, shadow IT, or third-party exposure."
severity: High
queryFrequency: 5m
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
matchingMethod: AllEntities
lookbackDuration: PT5H
enabled: false
createIncident: true
triggerThreshold: 0
relevantTechniques:
- T1078
- T1087
- T1552
eventGroupingSettings:
aggregationKind: AlertPerResult
suppressionEnabled: true
status: Available
version: 1.0.1
name: CYFIRMA - Public Accounts Leaks Detection Rule
id: 57602938-e95a-4fc3-9352-8d473ed256e1
query: |
// Public Accounts Leaks - Latest per UID
let timeFrame = 5m;
CyfirmaCompromisedAccounts_CL
| where TimeGenerated between (ago(timeFrame) .. now())
and Category has "Public Accounts Leaks"
| extend
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| summarize arg_max(TimeGenerated,
email,
user_name,
password,
url,
ip,
computer_name,
operating_system,
breach_date,
first_seen,
last_seen,
impact,
recommendations,
description,
source,
ProductName,
ProviderName
) by uid
| sort by TimeGenerated desc
requiredDataConnectors:
- dataTypes:
- CyfirmaCompromisedAccounts_CL
connectorId: CyfirmaCompromisedAccountsDataConnector
tactics:
- CredentialAccess
- InitialAccess
- Discovery
alertDetailsOverride:
alertDisplayNameFormat: Public Leak - {{user_name}} - {{email}}
alertDescriptionFormat: '{{description}}'
alertDynamicProperties:
- value: ProductName
alertProperty: ProductName
- value: ProviderName
alertProperty: ProviderName
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/PublicAccountsLeaksRule.yaml
queryPeriod: 5m
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/57602938-e95a-4fc3-9352-8d473ed256e1')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/57602938-e95a-4fc3-9352-8d473ed256e1')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{description}}",
"alertDisplayNameFormat": "Public Leak - {{user_name}} - {{email}}",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "57602938-e95a-4fc3-9352-8d473ed256e1",
"customDetails": {
"BreachDate": "breach_date",
"Description": "description",
"FirstSeen": "first_seen",
"Impact": "impact",
"LastSeen": "last_seen",
"Recommendations": "recommendations",
"Source": "source",
"TimeGenerated": "TimeGenerated",
"UID": "uid"
},
"description": "\"Detects exposed public-facing account credentials as identified in CYFIRMA's threat intelligence feeds.\nThis rule monitors for credentials leaked through third-party breaches, dark web sources, or public repositories that could impact the organization's users or systems.\nIt captures key details such as email, username, IP address, and associated devices. These accounts may not be directly managed by the enterprise but still pose a risk of lateral access, shadow IT, or third-party exposure.\"\n",
"displayName": "CYFIRMA - Public Accounts Leaks Detection Rule",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "user_name",
"identifier": "Name"
},
{
"columnName": "email",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "computer_name",
"identifier": "HostName"
},
{
"columnName": "operating_system",
"identifier": "OSVersion"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "ip",
"identifier": "Address"
}
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "url",
"identifier": "Url"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/PublicAccountsLeaksRule.yaml",
"query": "// Public Accounts Leaks - Latest per UID\nlet timeFrame = 5m;\nCyfirmaCompromisedAccounts_CL\n| where TimeGenerated between (ago(timeFrame) .. now())\n and Category has \"Public Accounts Leaks\"\n| extend \n ProviderName = 'CYFIRMA',\n ProductName = 'DeCYFIR/DeTCT'\n| summarize arg_max(TimeGenerated, \n email,\n user_name,\n password,\n url,\n ip,\n computer_name,\n operating_system,\n breach_date,\n first_seen,\n last_seen,\n impact,\n recommendations,\n description,\n source,\n ProductName,\n ProviderName\n) by uid\n| sort by TimeGenerated desc\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT6H",
"suppressionEnabled": true,
"tactics": [
"CredentialAccess",
"Discovery",
"InitialAccess"
],
"techniques": [
"T1078",
"T1087",
"T1552"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}