CYFIRMA - Public Accounts Leaks Detection Rule

// Public Accounts Leaks - Latest per UID
let timeFrame = 5m;
CyfirmaCompromisedAccounts_CL
| where TimeGenerated between (ago(timeFrame) .. now())
    and Category has "Public Accounts Leaks"
| extend 
    ProviderName = 'CYFIRMA',
    ProductName = 'DeCYFIR/DeTCT'
| summarize arg_max(TimeGenerated, 
    email,
    user_name,
    password,
    url,
    ip,
    computer_name,
    operating_system,
    breach_date,
    first_seen,
    last_seen,
    impact,
    recommendations,
    description,
    source,
    ProductName,
    ProviderName
) by uid
| sort by TimeGenerated desc

description: |
  "Detects exposed public-facing account credentials as identified in CYFIRMA's threat intelligence feeds.
  This rule monitors for credentials leaked through third-party breaches, dark web sources, or public repositories that could impact the organization's users or systems.
  It captures key details such as email, username, IP address, and associated devices. These accounts may not be directly managed by the enterprise but still pose a risk of lateral access, shadow IT, or third-party exposure."  
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    lookbackDuration: PT5H
    reopenClosedIncident: false
    enabled: false
eventGroupingSettings:
  aggregationKind: AlertPerResult
requiredDataConnectors:
- dataTypes:
  - CyfirmaCompromisedAccounts_CL
  connectorId: CyfirmaCompromisedAccountsDataConnector
relevantTechniques:
- T1078
- T1087
- T1552
triggerOperator: gt
version: 1.0.1
queryFrequency: 5m
severity: High
suppressionEnabled: true
triggerThreshold: 0
suppressionDuration: 6h
entityMappings:
- fieldMappings:
  - columnName: user_name
    identifier: Name
  - columnName: email
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: computer_name
    identifier: HostName
  - columnName: operating_system
    identifier: OSVersion
  entityType: Host
- fieldMappings:
  - columnName: ip
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: url
    identifier: Url
  entityType: URL
customDetails:
  Impact: impact
  Source: source
  TimeGenerated: TimeGenerated
  Description: description
  UID: uid
  LastSeen: last_seen
  BreachDate: breach_date
  Recommendations: recommendations
  FirstSeen: first_seen
name: CYFIRMA - Public Accounts Leaks Detection Rule
query: |
  // Public Accounts Leaks - Latest per UID
  let timeFrame = 5m;
  CyfirmaCompromisedAccounts_CL
  | where TimeGenerated between (ago(timeFrame) .. now())
      and Category has "Public Accounts Leaks"
  | extend 
      ProviderName = 'CYFIRMA',
      ProductName = 'DeCYFIR/DeTCT'
  | summarize arg_max(TimeGenerated, 
      email,
      user_name,
      password,
      url,
      ip,
      computer_name,
      operating_system,
      breach_date,
      first_seen,
      last_seen,
      impact,
      recommendations,
      description,
      source,
      ProductName,
      ProviderName
  ) by uid
  | sort by TimeGenerated desc  
tactics:
- CredentialAccess
- InitialAccess
- Discovery
queryPeriod: 5m
kind: Scheduled
id: 57602938-e95a-4fc3-9352-8d473ed256e1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/PublicAccountsLeaksRule.yaml
alertDetailsOverride:
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
  alertDescriptionFormat: '{{description}}'
  alertDisplayNameFormat: Public Leak - {{user_name}} - {{email}}
status: Available