CYFIRMA - Public Accounts Leaks Detection Rule
| Id | 57602938-e95a-4fc3-9352-8d473ed256e1 |
| Rulename | CYFIRMA - Public Accounts Leaks Detection Rule |
| Description | “Detects exposed public-facing account credentials as identified in CYFIRMA’s threat intelligence feeds. This rule monitors for credentials leaked through third-party breaches, dark web sources, or public repositories that could impact the organization’s users or systems. It captures key details such as email, username, IP address, and associated devices. These accounts may not be directly managed by the enterprise but still pose a risk of lateral access, shadow IT, or third-party exposure.” |
| Severity | High |
| Tactics | CredentialAccess InitialAccess Discovery |
| Techniques | T1078 T1087 T1552 |
| Required data connectors | CyfirmaCompromisedAccountsDataConnector |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/PublicAccountsLeaksRule.yaml |
| Version | 1.0.0 |
| Arm template | 57602938-e95a-4fc3-9352-8d473ed256e1.json |
// Public Accounts Leaks - Latest per UID
let timeFrame = 5m;
CyfirmaCompromisedAccounts_CL
| where TimeGenerated between (ago(timeFrame) .. now())
and Category has "Public Accounts Leaks"
| extend
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| summarize arg_max(TimeGenerated,
email,
user_name,
password,
url,
ip,
computer_name,
operating_system,
breach_date,
first_seen,
last_seen,
impact,
recommendations,
description,
source,
ProductName,
ProviderName
) by uid
| sort by TimeGenerated desc
tactics:
- CredentialAccess
- InitialAccess
- Discovery
name: CYFIRMA - Public Accounts Leaks Detection Rule
suppressionEnabled: true
requiredDataConnectors:
- connectorId: CyfirmaCompromisedAccountsDataConnector
dataTypes:
- CyfirmaCompromisedAccounts_CL
query: |
// Public Accounts Leaks - Latest per UID
let timeFrame = 5m;
CyfirmaCompromisedAccounts_CL
| where TimeGenerated between (ago(timeFrame) .. now())
and Category has "Public Accounts Leaks"
| extend
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| summarize arg_max(TimeGenerated,
email,
user_name,
password,
url,
ip,
computer_name,
operating_system,
breach_date,
first_seen,
last_seen,
impact,
recommendations,
description,
source,
ProductName,
ProviderName
) by uid
| sort by TimeGenerated desc
eventGroupingSettings:
aggregationKind: AlertPerResult
relevantTechniques:
- T1078
- T1087
- T1552
incidentConfiguration:
createIncident: true
groupingConfiguration:
matchingMethod: AllEntities
reopenClosedIncident: false
lookbackDuration: 5h
enabled: false
description: |
"Detects exposed public-facing account credentials as identified in CYFIRMA's threat intelligence feeds.
This rule monitors for credentials leaked through third-party breaches, dark web sources, or public repositories that could impact the organization's users or systems.
It captures key details such as email, username, IP address, and associated devices. These accounts may not be directly managed by the enterprise but still pose a risk of lateral access, shadow IT, or third-party exposure."
triggerOperator: gt
queryPeriod: 5m
suppressionDuration: 6h
severity: High
entityMappings:
- fieldMappings:
- identifier: Name
columnName: user_name
- identifier: UPNSuffix
columnName: email
entityType: Account
- fieldMappings:
- identifier: HostName
columnName: computer_name
- identifier: OSVersion
columnName: operating_system
entityType: Host
- fieldMappings:
- identifier: Address
columnName: ip
entityType: IP
- fieldMappings:
- identifier: Url
columnName: url
entityType: URL
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/PublicAccountsLeaksRule.yaml
version: 1.0.0
alertDetailsOverride:
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: ProviderName
value: ProviderName
alertDisplayNameFormat: Public Leak - {{user_name}} - {{email}}
alertDescriptionFormat: '{{description}}'
triggerThreshold: 0
id: 57602938-e95a-4fc3-9352-8d473ed256e1
queryFrequency: 5m
kind: Scheduled
status: Available
customDetails:
Recommendations: recommendations
Description: description
FirstSeen: first_seen
TimeGenerated: TimeGenerated
Source: source
BreachDate: breach_date
LastSeen: last_seen
Impact: impact
UID: uid
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/57602938-e95a-4fc3-9352-8d473ed256e1')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/57602938-e95a-4fc3-9352-8d473ed256e1')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{description}}",
"alertDisplayNameFormat": "Public Leak - {{user_name}} - {{email}}",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "57602938-e95a-4fc3-9352-8d473ed256e1",
"customDetails": {
"BreachDate": "breach_date",
"Description": "description",
"FirstSeen": "first_seen",
"Impact": "impact",
"LastSeen": "last_seen",
"Recommendations": "recommendations",
"Source": "source",
"TimeGenerated": "TimeGenerated",
"UID": "uid"
},
"description": "\"Detects exposed public-facing account credentials as identified in CYFIRMA's threat intelligence feeds.\nThis rule monitors for credentials leaked through third-party breaches, dark web sources, or public repositories that could impact the organization's users or systems.\nIt captures key details such as email, username, IP address, and associated devices. These accounts may not be directly managed by the enterprise but still pose a risk of lateral access, shadow IT, or third-party exposure.\"\n",
"displayName": "CYFIRMA - Public Accounts Leaks Detection Rule",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "user_name",
"identifier": "Name"
},
{
"columnName": "email",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "computer_name",
"identifier": "HostName"
},
{
"columnName": "operating_system",
"identifier": "OSVersion"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "ip",
"identifier": "Address"
}
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "url",
"identifier": "Url"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/PublicAccountsLeaksRule.yaml",
"query": "// Public Accounts Leaks - Latest per UID\nlet timeFrame = 5m;\nCyfirmaCompromisedAccounts_CL\n| where TimeGenerated between (ago(timeFrame) .. now())\n and Category has \"Public Accounts Leaks\"\n| extend \n ProviderName = 'CYFIRMA',\n ProductName = 'DeCYFIR/DeTCT'\n| summarize arg_max(TimeGenerated, \n email,\n user_name,\n password,\n url,\n ip,\n computer_name,\n operating_system,\n breach_date,\n first_seen,\n last_seen,\n impact,\n recommendations,\n description,\n source,\n ProductName,\n ProviderName\n) by uid\n| sort by TimeGenerated desc\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT6H",
"suppressionEnabled": true,
"tactics": [
"CredentialAccess",
"Discovery",
"InitialAccess"
],
"techniques": [
"T1078",
"T1087",
"T1552"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}