CYFIRMA - Brand Intelligence - Social Media Handle Impersonation Detected Medium Rule
| Id | 710f4755-490d-4fa7-aef0-43b5a66edc7b |
| Rulename | CYFIRMA - Brand Intelligence - Social Media Handle Impersonation Detected Medium Rule |
| Description | “Detects high-severity alerts related to impersonation of official social media handles associated with your brand. These spoofed accounts may be used for phishing, disinformation, or fraud campaigns, posing significant reputational and security risks.” |
| Severity | Medium |
| Tactics | Reconnaissance ResourceDevelopment InitialAccess |
| Techniques | T1589.003 T1591.002 T1585.001 T1566.002 |
| Required data connectors | CyfirmaBrandIntelligenceAlertsDC |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Brand Intelligence/Analytic Rules/BISocialMediaHandlerMediumRule.yaml |
| Version | 1.0.1 |
| Arm template | 710f4755-490d-4fa7-aef0-43b5a66edc7b.json |
// Medium severity - Social Media Handle Impersonation
let timeFrame = 5m;
CyfirmaBISocialHandlersAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
AssetType=asset_type,
AssetValue=asset_value,
Impact=impact,
Recommendation=recommendation,
SourceSype=source_type,
ProviderName="CYFIRMA",
ProductName="DeCYFIR/DeTCT"
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
AssetType,
AssetValue,
Impact,
Recommendation,
SourceSype,
ProductName,
ProviderName
name: CYFIRMA - Brand Intelligence - Social Media Handle Impersonation Detected Medium Rule
alertDetailsOverride:
alertDynamicProperties:
- value: ProductName
alertProperty: ProductName
- value: ProviderName
alertProperty: ProviderName
alertDisplayNameFormat: 'CYFIRMA - Medium Severity Social Media Handle Impersonation Detected - {{AssetType}} : {{AssetValue}} '
alertDescriptionFormat: '{{Description}} '
version: 1.0.1
triggerThreshold: 0
id: 710f4755-490d-4fa7-aef0-43b5a66edc7b
triggerOperator: gt
query: |
// Medium severity - Social Media Handle Impersonation
let timeFrame = 5m;
CyfirmaBISocialHandlersAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
AssetType=asset_type,
AssetValue=asset_value,
Impact=impact,
Recommendation=recommendation,
SourceSype=source_type,
ProviderName="CYFIRMA",
ProductName="DeCYFIR/DeTCT"
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
AssetType,
AssetValue,
Impact,
Recommendation,
SourceSype,
ProductName,
ProviderName
description: |
"Detects high-severity alerts related to impersonation of official social media handles associated with your brand.
These spoofed accounts may be used for phishing, disinformation, or fraud campaigns, posing significant reputational and security risks."
kind: Scheduled
queryFrequency: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Brand Intelligence/Analytic Rules/BISocialMediaHandlerMediumRule.yaml
severity: Medium
incidentConfiguration:
createIncident: true
groupingConfiguration:
lookbackDuration: PT5H
reopenClosedIncident: false
matchingMethod: AllEntities
enabled: false
queryPeriod: 5m
requiredDataConnectors:
- dataTypes:
- CyfirmaBISocialHandlersAlerts_CL
connectorId: CyfirmaBrandIntelligenceAlertsDC
status: Available
customDetails:
Impact: Impact
RiskScore: RiskScore
UID: UID
AssetValue: AssetValue
LastSeen: LastSeen
FirstSeen: FirstSeen
Description: Description
AlertUID: AlertUID
TimeGenerated: TimeGenerated
SourceSype: SourceSype
AssetType: AssetType
Recommendation: Recommendation
eventGroupingSettings:
aggregationKind: AlertPerResult
relevantTechniques:
- T1589.003
- T1591.002
- T1585.001
- T1566.002
tactics:
- Reconnaissance
- ResourceDevelopment
- InitialAccess