Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. CYFIRMA - High severity Malicious Phishing Network Indicators - Block Recommended Rule

CYFIRMA - High severity Malicious Phishing Network Indicators - Block Recommended Rule

Back
Id6f053867-dbd8-4755-924d-577e3db7f5a6
RulenameCYFIRMA - High severity Malicious Phishing Network Indicators - Block Recommended Rule
Description“This analytics rule identifies network-based indicators such as URLs, IP addresses, and domains related to phishing campaigns, as reported by CYFIRMA threat intelligence.

These indicators are flagged with a recommended action to block and are categorized under the ‘Phishing’ role.

Such infrastructure is often used to deliver phishing emails, host fake login portals, or redirect victims to credential-harvesting pages.

Blocking these indicators proactively helps prevent user compromise and data theft.”
SeverityHigh
TacticsInitialAccess
Execution
CredentialAccess
Exfiltration
TechniquesT1566
T1204
T1556
T1110
T1041
T1566.001
T1566.002
T1204.001
T1556.002
T1110.003
Required data connectorsCyfirmaCyberIntelligenceDC
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/PhishingNetworkIndicatorsBlockHighSeverityRule.yaml
Version1.0.1
Arm template6f053867-dbd8-4755-924d-577e3db7f5a6.json
Deploy To Azure
//Malicious Phishing Network Indicators - Block Recommended
let timeFrame= 5m;
CyfirmaIndicators_CL 
| where ConfidenceScore >= 80
    and TimeGenerated between (ago(timeFrame) .. now())
    and pattern !contains 'file:hashes' and RecommendedActions has 'Block' and Roles has 'Phishing'
| extend IPv4 = extract(@"ipv4-addr:value\s*=\s*'([^']+)'", 1, pattern)
| extend IPv6 = extract(@"ipv6-addr:value\s*=\s*'([^']+)'", 1, pattern)
| extend URL = extract(@"url:value\s*=\s*'([^']+)'", 1, pattern)
| extend Domain = extract(@"domain-name:value\s*=\s*'([^']+)'", 1, pattern)
| extend parsed = parse_json(extensions)
| extend extensionKeys = bag_keys(parsed)
| mv-expand extensionKeys
| extend extensionKeyStr = tostring(extensionKeys)
| extend ext = parsed[extensionKeyStr]
| extend props = ext.properties
| extend 
    extension_id = extensionKeyStr,
    ASN_Owner = props.asn_owner,
    ASN = props.asn,
    ProviderName = 'CYFIRMA',
    ProductName = 'DeCYFIR/DeTCT'
| project
    IPv4,
    IPv6,
    URL,
    Domain,
    ThreatActors,
    RecommendedActions,
    Sources,
    Roles,
    Country,
    IPAbuse,
    name,
    Description,
    ConfidenceScore,
    IndicatorID,
    created,
    modified,
    valid_from,
    Tags,
    ThreatType,
    TimeGenerated,
    SecurityVendors,
    ProductName,
    ProviderName

queryPeriod: 5m
description: |
  "This analytics rule identifies network-based indicators such as URLs, IP addresses, and domains related to phishing campaigns, as reported by CYFIRMA threat intelligence. 
  These indicators are flagged with a recommended action to block and are categorized under the 'Phishing' role.
  Such infrastructure is often used to deliver phishing emails, host fake login portals, or redirect victims to credential-harvesting pages. 
  Blocking these indicators proactively helps prevent user compromise and data theft."  
kind: Scheduled
query: |
  //Malicious Phishing Network Indicators - Block Recommended
  let timeFrame= 5m;
  CyfirmaIndicators_CL 
  | where ConfidenceScore >= 80
      and TimeGenerated between (ago(timeFrame) .. now())
      and pattern !contains 'file:hashes' and RecommendedActions has 'Block' and Roles has 'Phishing'
  | extend IPv4 = extract(@"ipv4-addr:value\s*=\s*'([^']+)'", 1, pattern)
  | extend IPv6 = extract(@"ipv6-addr:value\s*=\s*'([^']+)'", 1, pattern)
  | extend URL = extract(@"url:value\s*=\s*'([^']+)'", 1, pattern)
  | extend Domain = extract(@"domain-name:value\s*=\s*'([^']+)'", 1, pattern)
  | extend parsed = parse_json(extensions)
  | extend extensionKeys = bag_keys(parsed)
  | mv-expand extensionKeys
  | extend extensionKeyStr = tostring(extensionKeys)
  | extend ext = parsed[extensionKeyStr]
  | extend props = ext.properties
  | extend 
      extension_id = extensionKeyStr,
      ASN_Owner = props.asn_owner,
      ASN = props.asn,
      ProviderName = 'CYFIRMA',
      ProductName = 'DeCYFIR/DeTCT'
  | project
      IPv4,
      IPv6,
      URL,
      Domain,
      ThreatActors,
      RecommendedActions,
      Sources,
      Roles,
      Country,
      IPAbuse,
      name,
      Description,
      ConfidenceScore,
      IndicatorID,
      created,
      modified,
      valid_from,
      Tags,
      ThreatType,
      TimeGenerated,
      SecurityVendors,
      ProductName,
      ProviderName  
suppressionDuration: 5m
tactics:
- InitialAccess
- Execution
- CredentialAccess
- Exfiltration
incidentConfiguration:
  groupingConfiguration:
    enabled: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
    reopenClosedIncident: false
  createIncident: true
triggerOperator: GreaterThan
enabled: false
suppressionEnabled: true
alertDetailsOverride:
  alertDisplayNameFormat: 'High-Confidence Malicious Phishing Network Indicators - Block Recommended - {{name}} '
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
  alertDescriptionFormat: '{{Description}} - {{name}} '
id: 6f053867-dbd8-4755-924d-577e3db7f5a6
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Cyber Intelligence/Analytic Rules/PhishingNetworkIndicatorsBlockHighSeverityRule.yaml
version: 1.0.1
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPv4
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPv6
- entityType: DNS
  fieldMappings:
  - identifier: DomainName
    columnName: Domain
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: URL
triggerThreshold: 0
customDetails:
  SecurityVendors: SecurityVendors
  ConfidenceScore: ConfidenceScore
  ThreatActors: ThreatActors
  IndicatorID: IndicatorID
  RecommendedActions: RecommendedActions
  Modified: modified
  ValidFrom: valid_from
  Created: created
  ThreatType: ThreatType
  IPAbuse: IPAbuse
  Roles: Roles
  Tags: Tags
  TimeGenerated: TimeGenerated
  Sources: Sources
  Country: Country
  Description: Description
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1566
- T1204
- T1556
- T1110
- T1041
- T1566.001
- T1566.002
- T1204.001
- T1556.002
- T1110.003
name: CYFIRMA - High severity Malicious Phishing Network Indicators - Block Recommended Rule
severity: High
requiredDataConnectors:
- dataTypes:
  - CyfirmaIndicators_CL
  connectorId: CyfirmaCyberIntelligenceDC
queryFrequency: 5m