CYFIRMA - Compromised Employees Detection Rule
| Id | 72d3fb86-d1eb-44d6-9352-170c6bb45bb7 |
| Rulename | CYFIRMA - Compromised Employees Detection Rule |
| Description | “Identifies and alerts on internal employee accounts that have been compromised, based on CYFIRMA’s threat intelligence. This rule captures the latest exposure of user credentials, IP addresses, hostnames, operating systems, and pass hashes observed in the threat feed. It supports rapid detection and investigation of phishing, stealer malware, and insider compromise scenarios.” |
| Severity | High |
| Tactics | CredentialAccess InitialAccess Persistence |
| Techniques | T1003 T1552 T1078 T1098 |
| Required data connectors | CyfirmaCompromisedAccountsDataConnector |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/CompromisedEmployeesRule.yaml |
| Version | 1.0.1 |
| Arm template | 72d3fb86-d1eb-44d6-9352-170c6bb45bb7.json |
// Compromised Employees - Latest per UID
let timeFrame = 5m;
CyfirmaCompromisedAccounts_CL
| where TimeGenerated between (ago(timeFrame) .. now())
and Category has "Compromised Employees"
| extend
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| summarize arg_max(TimeGenerated,
url,
ip,
email,
user_name,
computer_name,
operating_system,
breach_date,
first_seen,
last_seen,
impact,
recommendations,
description,
source,
pass_hash,
ProductName,
ProviderName
) by uid
| sort by TimeGenerated desc
kind: Scheduled
customDetails:
UID: uid
Description: description
BreachDate: breach_date
TimeGenerated: TimeGenerated
Impact: impact
PassHash: pass_hash
FirstSeen: first_seen
Recommendations: recommendations
Source: source
LastSeen: last_seen
suppressionDuration: 6h
entityMappings:
- entityType: Account
fieldMappings:
- columnName: user_name
identifier: Name
- columnName: email
identifier: UPNSuffix
- entityType: Host
fieldMappings:
- columnName: computer_name
identifier: HostName
- columnName: operating_system
identifier: OSVersion
- entityType: IP
fieldMappings:
- columnName: ip
identifier: Address
- entityType: URL
fieldMappings:
- columnName: url
identifier: Url
description: |
"Identifies and alerts on internal employee accounts that have been compromised, based on CYFIRMA's threat intelligence.
This rule captures the latest exposure of user credentials, IP addresses, hostnames, operating systems, and pass hashes observed in the threat feed.
It supports rapid detection and investigation of phishing, stealer malware, and insider compromise scenarios."
severity: High
queryFrequency: 5m
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
matchingMethod: AllEntities
lookbackDuration: PT5H
enabled: false
createIncident: true
triggerThreshold: 0
relevantTechniques:
- T1003
- T1552
- T1078
- T1098
eventGroupingSettings:
aggregationKind: AlertPerResult
suppressionEnabled: true
status: Available
version: 1.0.1
name: CYFIRMA - Compromised Employees Detection Rule
id: 72d3fb86-d1eb-44d6-9352-170c6bb45bb7
query: |
// Compromised Employees - Latest per UID
let timeFrame = 5m;
CyfirmaCompromisedAccounts_CL
| where TimeGenerated between (ago(timeFrame) .. now())
and Category has "Compromised Employees"
| extend
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| summarize arg_max(TimeGenerated,
url,
ip,
email,
user_name,
computer_name,
operating_system,
breach_date,
first_seen,
last_seen,
impact,
recommendations,
description,
source,
pass_hash,
ProductName,
ProviderName
) by uid
| sort by TimeGenerated desc
requiredDataConnectors:
- dataTypes:
- CyfirmaCompromisedAccounts_CL
connectorId: CyfirmaCompromisedAccountsDataConnector
tactics:
- CredentialAccess
- InitialAccess
- Persistence
alertDetailsOverride:
alertDisplayNameFormat: Employee Compromised - {{user_name}} - {{email}}
alertDescriptionFormat: '{{description}}'
alertDynamicProperties:
- value: ProductName
alertProperty: ProductName
- value: ProviderName
alertProperty: ProviderName
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/CompromisedEmployeesRule.yaml
queryPeriod: 5m
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/72d3fb86-d1eb-44d6-9352-170c6bb45bb7')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/72d3fb86-d1eb-44d6-9352-170c6bb45bb7')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{description}}",
"alertDisplayNameFormat": "Employee Compromised - {{user_name}} - {{email}}",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "72d3fb86-d1eb-44d6-9352-170c6bb45bb7",
"customDetails": {
"BreachDate": "breach_date",
"Description": "description",
"FirstSeen": "first_seen",
"Impact": "impact",
"LastSeen": "last_seen",
"PassHash": "pass_hash",
"Recommendations": "recommendations",
"Source": "source",
"TimeGenerated": "TimeGenerated",
"UID": "uid"
},
"description": "\"Identifies and alerts on internal employee accounts that have been compromised, based on CYFIRMA's threat intelligence.\nThis rule captures the latest exposure of user credentials, IP addresses, hostnames, operating systems, and pass hashes observed in the threat feed.\nIt supports rapid detection and investigation of phishing, stealer malware, and insider compromise scenarios.\"\n",
"displayName": "CYFIRMA - Compromised Employees Detection Rule",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "user_name",
"identifier": "Name"
},
{
"columnName": "email",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "computer_name",
"identifier": "HostName"
},
{
"columnName": "operating_system",
"identifier": "OSVersion"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "ip",
"identifier": "Address"
}
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "url",
"identifier": "Url"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/CompromisedEmployeesRule.yaml",
"query": "// Compromised Employees - Latest per UID\nlet timeFrame = 5m;\nCyfirmaCompromisedAccounts_CL\n| where TimeGenerated between (ago(timeFrame) .. now())\n and Category has \"Compromised Employees\"\n| extend \n ProviderName = 'CYFIRMA',\n ProductName = 'DeCYFIR/DeTCT'\n| summarize arg_max(TimeGenerated, \n url,\n ip,\n email,\n user_name,\n computer_name,\n operating_system,\n breach_date,\n first_seen,\n last_seen,\n impact,\n recommendations,\n description,\n source,\n pass_hash,\n ProductName,\n ProviderName\n) by uid\n| sort by TimeGenerated desc\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT6H",
"suppressionEnabled": true,
"tactics": [
"CredentialAccess",
"InitialAccess",
"Persistence"
],
"techniques": [
"T1003",
"T1078",
"T1098",
"T1552"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}