CYFIRMA - Brand Intelligence - Social Media Handle Impersonation Detected Medium Rule

// Medium severity - Social Media Handle Impersonation
let timeFrame = 5m;
CyfirmaBISocialHandlersAlerts_CL 
  | where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=asset_value,
      Impact=impact,
      Recommendation=recommendation,
      SourceSype=source_type,
      ProviderName="CYFIRMA",
      ProductName="DeCYFIR/DeTCT"
  | project 
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Impact,
      Recommendation,
      SourceSype,
      ProductName,
      ProviderName

queryPeriod: 5m
relevantTechniques:
- T1589.003
- T1591.002
- T1585.001
- T1566.002
kind: Scheduled
query: |
  // Medium severity - Social Media Handle Impersonation
  let timeFrame = 5m;
  CyfirmaBISocialHandlersAlerts_CL 
    | where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
    | extend
        Description=description,
        FirstSeen=first_seen,
        LastSeen=last_seen,
        RiskScore=risk_score,
        AlertUID=alert_uid,
        UID=uid,
        AssetType=asset_type,
        AssetValue=asset_value,
        Impact=impact,
        Recommendation=recommendation,
        SourceSype=source_type,
        ProviderName="CYFIRMA",
        ProductName="DeCYFIR/DeTCT"
    | project 
        TimeGenerated,
        Description,
        RiskScore,
        FirstSeen,
        LastSeen,
        AlertUID,
        UID,
        AssetType,
        AssetValue,
        Impact,
        Recommendation,
        SourceSype,
        ProductName,
        ProviderName  
tactics:
- Reconnaissance
- ResourceDevelopment
- InitialAccess
queryFrequency: 5m
triggerOperator: gt
incidentConfiguration:
  groupingConfiguration:
    enabled: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
    reopenClosedIncident: false
  createIncident: true
eventGroupingSettings:
  aggregationKind: AlertPerResult
alertDetailsOverride:
  alertDisplayNameFormat: 'CYFIRMA - Medium Severity Social Media Handle Impersonation Detected - {{AssetType}}  :  {{AssetValue}} '
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
  alertDescriptionFormat: '{{Description}} '
id: 710f4755-490d-4fa7-aef0-43b5a66edc7b
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Brand Intelligence/Analytic Rules/BISocialMediaHandlerMediumRule.yaml
version: 1.0.1
triggerThreshold: 0
customDetails:
  RiskScore: RiskScore
  FirstSeen: FirstSeen
  UID: UID
  TimeGenerated: TimeGenerated
  AlertUID: AlertUID
  Impact: Impact
  AssetValue: AssetValue
  Recommendation: Recommendation
  LastSeen: LastSeen
  SourceSype: SourceSype
  AssetType: AssetType
  Description: Description
status: Available
name: CYFIRMA - Brand Intelligence - Social Media Handle Impersonation Detected Medium Rule
severity: Medium
requiredDataConnectors:
- dataTypes:
  - CyfirmaBISocialHandlersAlerts_CL
  connectorId: CyfirmaBrandIntelligenceAlertsDC
description: |
  "Detects high-severity alerts related to impersonation of official social media handles associated with your brand. 
  These spoofed accounts may be used for phishing, disinformation, or fraud campaigns, posing significant reputational and security risks."