CYFIRMA - Brand Intelligence - ExecutivePeople Impersonation Medium Rule

// Medium severity - Executive/People Impersonation
let timeFrame = 5m;
CyfirmaBIExecutivePeopleAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=asset_value,
    Impact=impact,
    Recommendation=recommendation,
    PostedDate=posted_date,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT'
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Impact,
    Recommendation,
    PostedDate,
    ProductName,
    ProviderName

alertDetailsOverride:
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
  alertDescriptionFormat: '{{Description}} '
  alertDisplayNameFormat: 'CYFIRMA - Medium Severity Alert - Executive Impersonation - Suspicious Social Media Account Detected - {{AssetValue}} '
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    lookbackDuration: PT5H
    reopenClosedIncident: false
    enabled: false
requiredDataConnectors:
- dataTypes:
  - CyfirmaBIExecutivePeopleAlerts_CL
  connectorId: CyfirmaBrandIntelligenceAlertsDC
relevantTechniques:
- T1589.003
- T1585.001
- T1566.002
triggerOperator: gt
version: 1.0.1
queryFrequency: 5m
severity: Medium
description: |
  "This rule detects potential impersonation of executive or high-profile individuals across digital platforms such as social media. 
  Such impersonation can be used to mislead stakeholders, perform social engineering attacks, or cause reputational damage to the organization. 
  Timely detection is crucial to assess risk and take down malicious profiles to protect brand and executive identity."  
triggerThreshold: 0
customDetails:
  AssetValue: AssetValue
  Description: Description
  PostedDate: PostedDate
  LastSeen: LastSeen
  AssetType: AssetType
  FirstSeen: FirstSeen
  RiskScore: RiskScore
  Recommendation: Recommendation
  AlertUID: AlertUID
  Impact: Impact
  UID: UID
  TimeGenerated: TimeGenerated
name: CYFIRMA - Brand Intelligence - Executive/People Impersonation Medium Rule
query: |
  // Medium severity - Executive/People Impersonation
  let timeFrame = 5m;
  CyfirmaBIExecutivePeopleAlerts_CL
  | where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=asset_value,
      Impact=impact,
      Recommendation=recommendation,
      PostedDate=posted_date,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT'
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Impact,
      Recommendation,
      PostedDate,
      ProductName,
      ProviderName  
tactics:
- Reconnaissance
- ResourceDevelopment
- InitialAccess
queryPeriod: 5m
kind: Scheduled
id: 59aa22f2-5b4f-4679-b289-003228255413
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Brand Intelligence/Analytic Rules/BIExecutivePeopleImpersonationMediumRule.yaml
eventGroupingSettings:
  aggregationKind: AlertPerResult
status: Available