CYFIRMA - Public Accounts Leaks Detection Rule
| Id | 57602938-e95a-4fc3-9352-8d473ed256e1 |
| Rulename | CYFIRMA - Public Accounts Leaks Detection Rule |
| Description | “Detects exposed public-facing account credentials as identified in CYFIRMA’s threat intelligence feeds. This rule monitors for credentials leaked through third-party breaches, dark web sources, or public repositories that could impact the organization’s users or systems. It captures key details such as email, username, IP address, and associated devices. These accounts may not be directly managed by the enterprise but still pose a risk of lateral access, shadow IT, or third-party exposure.” |
| Severity | High |
| Tactics | CredentialAccess InitialAccess Discovery |
| Techniques | T1078 T1087 T1552 |
| Required data connectors | CyfirmaCompromisedAccountsDataConnector |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/PublicAccountsLeaksRule.yaml |
| Version | 1.0.1 |
| Arm template | 57602938-e95a-4fc3-9352-8d473ed256e1.json |
// Public Accounts Leaks - Latest per UID
let timeFrame = 5m;
CyfirmaCompromisedAccounts_CL
| where TimeGenerated between (ago(timeFrame) .. now())
and Category has "Public Accounts Leaks"
| extend
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| summarize arg_max(TimeGenerated,
email,
user_name,
password,
url,
ip,
computer_name,
operating_system,
breach_date,
first_seen,
last_seen,
impact,
recommendations,
description,
source,
ProductName,
ProviderName
) by uid
| sort by TimeGenerated desc
name: CYFIRMA - Public Accounts Leaks Detection Rule
eventGroupingSettings:
aggregationKind: AlertPerResult
alertDetailsOverride:
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: ProviderName
value: ProviderName
alertDisplayNameFormat: Public Leak - {{user_name}} - {{email}}
alertDescriptionFormat: '{{description}}'
id: 57602938-e95a-4fc3-9352-8d473ed256e1
triggerThreshold: 0
requiredDataConnectors:
- connectorId: CyfirmaCompromisedAccountsDataConnector
dataTypes:
- CyfirmaCompromisedAccounts_CL
kind: Scheduled
triggerOperator: gt
version: 1.0.1
description: |
"Detects exposed public-facing account credentials as identified in CYFIRMA's threat intelligence feeds.
This rule monitors for credentials leaked through third-party breaches, dark web sources, or public repositories that could impact the organization's users or systems.
It captures key details such as email, username, IP address, and associated devices. These accounts may not be directly managed by the enterprise but still pose a risk of lateral access, shadow IT, or third-party exposure."
severity: High
relevantTechniques:
- T1078
- T1087
- T1552
suppressionDuration: 6h
queryPeriod: 5m
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: false
reopenClosedIncident: false
matchingMethod: AllEntities
lookbackDuration: PT5H
tactics:
- CredentialAccess
- InitialAccess
- Discovery
customDetails:
Source: source
Description: description
TimeGenerated: TimeGenerated
BreachDate: breach_date
FirstSeen: first_seen
Recommendations: recommendations
LastSeen: last_seen
UID: uid
Impact: impact
queryFrequency: 5m
entityMappings:
- fieldMappings:
- identifier: Name
columnName: user_name
- identifier: UPNSuffix
columnName: email
entityType: Account
- fieldMappings:
- identifier: HostName
columnName: computer_name
- identifier: OSVersion
columnName: operating_system
entityType: Host
- fieldMappings:
- identifier: Address
columnName: ip
entityType: IP
- fieldMappings:
- identifier: Url
columnName: url
entityType: URL
status: Available
suppressionEnabled: true
query: |
// Public Accounts Leaks - Latest per UID
let timeFrame = 5m;
CyfirmaCompromisedAccounts_CL
| where TimeGenerated between (ago(timeFrame) .. now())
and Category has "Public Accounts Leaks"
| extend
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| summarize arg_max(TimeGenerated,
email,
user_name,
password,
url,
ip,
computer_name,
operating_system,
breach_date,
first_seen,
last_seen,
impact,
recommendations,
description,
source,
ProductName,
ProviderName
) by uid
| sort by TimeGenerated desc
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/PublicAccountsLeaksRule.yaml
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/57602938-e95a-4fc3-9352-8d473ed256e1')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/57602938-e95a-4fc3-9352-8d473ed256e1')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{description}}",
"alertDisplayNameFormat": "Public Leak - {{user_name}} - {{email}}",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "57602938-e95a-4fc3-9352-8d473ed256e1",
"customDetails": {
"BreachDate": "breach_date",
"Description": "description",
"FirstSeen": "first_seen",
"Impact": "impact",
"LastSeen": "last_seen",
"Recommendations": "recommendations",
"Source": "source",
"TimeGenerated": "TimeGenerated",
"UID": "uid"
},
"description": "\"Detects exposed public-facing account credentials as identified in CYFIRMA's threat intelligence feeds.\nThis rule monitors for credentials leaked through third-party breaches, dark web sources, or public repositories that could impact the organization's users or systems.\nIt captures key details such as email, username, IP address, and associated devices. These accounts may not be directly managed by the enterprise but still pose a risk of lateral access, shadow IT, or third-party exposure.\"\n",
"displayName": "CYFIRMA - Public Accounts Leaks Detection Rule",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "user_name",
"identifier": "Name"
},
{
"columnName": "email",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "computer_name",
"identifier": "HostName"
},
{
"columnName": "operating_system",
"identifier": "OSVersion"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "ip",
"identifier": "Address"
}
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "url",
"identifier": "Url"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/PublicAccountsLeaksRule.yaml",
"query": "// Public Accounts Leaks - Latest per UID\nlet timeFrame = 5m;\nCyfirmaCompromisedAccounts_CL\n| where TimeGenerated between (ago(timeFrame) .. now())\n and Category has \"Public Accounts Leaks\"\n| extend \n ProviderName = 'CYFIRMA',\n ProductName = 'DeCYFIR/DeTCT'\n| summarize arg_max(TimeGenerated, \n email,\n user_name,\n password,\n url,\n ip,\n computer_name,\n operating_system,\n breach_date,\n first_seen,\n last_seen,\n impact,\n recommendations,\n description,\n source,\n ProductName,\n ProviderName\n) by uid\n| sort by TimeGenerated desc\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT6H",
"suppressionEnabled": true,
"tactics": [
"CredentialAccess",
"Discovery",
"InitialAccess"
],
"techniques": [
"T1078",
"T1087",
"T1552"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}