Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CYFIRMA - Public Accounts Leaks Detection Rule

Back
Id57602938-e95a-4fc3-9352-8d473ed256e1
RulenameCYFIRMA - Public Accounts Leaks Detection Rule
Description“Detects exposed public-facing account credentials as identified in CYFIRMA’s threat intelligence feeds.

This rule monitors for credentials leaked through third-party breaches, dark web sources, or public repositories that could impact the organization’s users or systems.

It captures key details such as email, username, IP address, and associated devices. These accounts may not be directly managed by the enterprise but still pose a risk of lateral access, shadow IT, or third-party exposure.”
SeverityHigh
TacticsCredentialAccess
InitialAccess
Discovery
TechniquesT1078
T1087
T1552
Required data connectorsCyfirmaCompromisedAccountsDataConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/PublicAccountsLeaksRule.yaml
Version1.0.0
Arm template57602938-e95a-4fc3-9352-8d473ed256e1.json
Deploy To Azure
// Public Accounts Leaks - Latest per UID
let timeFrame = 5m;
CyfirmaCompromisedAccounts_CL
| where TimeGenerated between (ago(timeFrame) .. now())
    and Category has "Public Accounts Leaks"
| extend 
    ProviderName = 'CYFIRMA',
    ProductName = 'DeCYFIR/DeTCT'
| summarize arg_max(TimeGenerated, 
    email,
    user_name,
    password,
    url,
    ip,
    computer_name,
    operating_system,
    breach_date,
    first_seen,
    last_seen,
    impact,
    recommendations,
    description,
    source,
    ProductName,
    ProviderName
) by uid
| sort by TimeGenerated desc
entityMappings:
- fieldMappings:
  - columnName: user_name
    identifier: Name
  - columnName: email
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: computer_name
    identifier: HostName
  - columnName: operating_system
    identifier: OSVersion
  entityType: Host
- fieldMappings:
  - columnName: ip
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: url
    identifier: Url
  entityType: URL
triggerThreshold: 0
severity: High
suppressionDuration: 6h
queryFrequency: 5m
queryPeriod: 5m
customDetails:
  TimeGenerated: TimeGenerated
  LastSeen: last_seen
  Recommendations: recommendations
  BreachDate: breach_date
  Impact: impact
  FirstSeen: first_seen
  Description: description
  UID: uid
  Source: source
relevantTechniques:
- T1078
- T1087
- T1552
alertDetailsOverride:
  alertDisplayNameFormat: Public Leak - {{user_name}} - {{email}}
  alertDescriptionFormat: '{{description}}'
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
triggerOperator: gt
kind: Scheduled
id: 57602938-e95a-4fc3-9352-8d473ed256e1
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 5h
    enabled: false
    matchingMethod: AllEntities
    reopenClosedIncident: false
requiredDataConnectors:
- connectorId: CyfirmaCompromisedAccountsDataConnector
  dataTypes:
  - CyfirmaCompromisedAccounts_CL
version: 1.0.0
name: CYFIRMA - Public Accounts Leaks Detection Rule
eventGroupingSettings:
  aggregationKind: AlertPerResult
tactics:
- CredentialAccess
- InitialAccess
- Discovery
description: |
  "Detects exposed public-facing account credentials as identified in CYFIRMA's threat intelligence feeds.
  This rule monitors for credentials leaked through third-party breaches, dark web sources, or public repositories that could impact the organization's users or systems.
  It captures key details such as email, username, IP address, and associated devices. These accounts may not be directly managed by the enterprise but still pose a risk of lateral access, shadow IT, or third-party exposure."  
query: |
  // Public Accounts Leaks - Latest per UID
  let timeFrame = 5m;
  CyfirmaCompromisedAccounts_CL
  | where TimeGenerated between (ago(timeFrame) .. now())
      and Category has "Public Accounts Leaks"
  | extend 
      ProviderName = 'CYFIRMA',
      ProductName = 'DeCYFIR/DeTCT'
  | summarize arg_max(TimeGenerated, 
      email,
      user_name,
      password,
      url,
      ip,
      computer_name,
      operating_system,
      breach_date,
      first_seen,
      last_seen,
      impact,
      recommendations,
      description,
      source,
      ProductName,
      ProviderName
  ) by uid
  | sort by TimeGenerated desc  
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/PublicAccountsLeaksRule.yaml
suppressionEnabled: true
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/57602938-e95a-4fc3-9352-8d473ed256e1')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/57602938-e95a-4fc3-9352-8d473ed256e1')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{description}}",
          "alertDisplayNameFormat": "Public Leak - {{user_name}} - {{email}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            },
            {
              "alertProperty": "ProviderName",
              "value": "ProviderName"
            }
          ]
        },
        "alertRuleTemplateName": "57602938-e95a-4fc3-9352-8d473ed256e1",
        "customDetails": {
          "BreachDate": "breach_date",
          "Description": "description",
          "FirstSeen": "first_seen",
          "Impact": "impact",
          "LastSeen": "last_seen",
          "Recommendations": "recommendations",
          "Source": "source",
          "TimeGenerated": "TimeGenerated",
          "UID": "uid"
        },
        "description": "\"Detects exposed public-facing account credentials as identified in CYFIRMA's threat intelligence feeds.\nThis rule monitors for credentials leaked through third-party breaches, dark web sources, or public repositories that could impact the organization's users or systems.\nIt captures key details such as email, username, IP address, and associated devices. These accounts may not be directly managed by the enterprise but still pose a risk of lateral access, shadow IT, or third-party exposure.\"\n",
        "displayName": "CYFIRMA - Public Accounts Leaks Detection Rule",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "user_name",
                "identifier": "Name"
              },
              {
                "columnName": "email",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "computer_name",
                "identifier": "HostName"
              },
              {
                "columnName": "operating_system",
                "identifier": "OSVersion"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "ip",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "url",
                "identifier": "Url"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/PublicAccountsLeaksRule.yaml",
        "query": "// Public Accounts Leaks - Latest per UID\nlet timeFrame = 5m;\nCyfirmaCompromisedAccounts_CL\n| where TimeGenerated between (ago(timeFrame) .. now())\n    and Category has \"Public Accounts Leaks\"\n| extend \n    ProviderName = 'CYFIRMA',\n    ProductName = 'DeCYFIR/DeTCT'\n| summarize arg_max(TimeGenerated, \n    email,\n    user_name,\n    password,\n    url,\n    ip,\n    computer_name,\n    operating_system,\n    breach_date,\n    first_seen,\n    last_seen,\n    impact,\n    recommendations,\n    description,\n    source,\n    ProductName,\n    ProviderName\n) by uid\n| sort by TimeGenerated desc\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT6H",
        "suppressionEnabled": true,
        "tactics": [
          "CredentialAccess",
          "Discovery",
          "InitialAccess"
        ],
        "techniques": [
          "T1078",
          "T1087",
          "T1552"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}