CYFIRMA - Public Accounts Leaks Detection Rule

// Public Accounts Leaks - Latest per UID
let timeFrame = 5m;
CyfirmaCompromisedAccounts_CL
| where TimeGenerated between (ago(timeFrame) .. now())
    and Category has "Public Accounts Leaks"
| extend 
    ProviderName = 'CYFIRMA',
    ProductName = 'DeCYFIR/DeTCT'
| summarize arg_max(TimeGenerated, 
    email,
    user_name,
    password,
    url,
    ip,
    computer_name,
    operating_system,
    breach_date,
    first_seen,
    last_seen,
    impact,
    recommendations,
    description,
    source,
    ProductName,
    ProviderName
) by uid
| sort by TimeGenerated desc

status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/PublicAccountsLeaksRule.yaml
tactics:
- CredentialAccess
- InitialAccess
- Discovery
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    lookbackDuration: PT5H
    reopenClosedIncident: false
    matchingMethod: AllEntities
suppressionEnabled: true
queryPeriod: 5m
query: |
  // Public Accounts Leaks - Latest per UID
  let timeFrame = 5m;
  CyfirmaCompromisedAccounts_CL
  | where TimeGenerated between (ago(timeFrame) .. now())
      and Category has "Public Accounts Leaks"
  | extend 
      ProviderName = 'CYFIRMA',
      ProductName = 'DeCYFIR/DeTCT'
  | summarize arg_max(TimeGenerated, 
      email,
      user_name,
      password,
      url,
      ip,
      computer_name,
      operating_system,
      breach_date,
      first_seen,
      last_seen,
      impact,
      recommendations,
      description,
      source,
      ProductName,
      ProviderName
  ) by uid
  | sort by TimeGenerated desc  
name: CYFIRMA - Public Accounts Leaks Detection Rule
triggerOperator: gt
version: 1.0.1
eventGroupingSettings:
  aggregationKind: AlertPerResult
id: 57602938-e95a-4fc3-9352-8d473ed256e1
suppressionDuration: 6h
severity: High
queryFrequency: 5m
alertDetailsOverride:
  alertDescriptionFormat: '{{description}}'
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
  alertDisplayNameFormat: Public Leak - {{user_name}} - {{email}}
description: |
  "Detects exposed public-facing account credentials as identified in CYFIRMA's threat intelligence feeds.
  This rule monitors for credentials leaked through third-party breaches, dark web sources, or public repositories that could impact the organization's users or systems.
  It captures key details such as email, username, IP address, and associated devices. These accounts may not be directly managed by the enterprise but still pose a risk of lateral access, shadow IT, or third-party exposure."  
requiredDataConnectors:
- connectorId: CyfirmaCompromisedAccountsDataConnector
  dataTypes:
  - CyfirmaCompromisedAccounts_CL
triggerThreshold: 0
customDetails:
  UID: uid
  Recommendations: recommendations
  LastSeen: last_seen
  Impact: impact
  FirstSeen: first_seen
  TimeGenerated: TimeGenerated
  BreachDate: breach_date
  Source: source
  Description: description
relevantTechniques:
- T1078
- T1087
- T1552
kind: Scheduled
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: user_name
  - identifier: UPNSuffix
    columnName: email
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: computer_name
  - identifier: OSVersion
    columnName: operating_system
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: ip
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: url