CYFIRMA - Compromised Employees Detection Rule
| Id | 72d3fb86-d1eb-44d6-9352-170c6bb45bb7 |
| Rulename | CYFIRMA - Compromised Employees Detection Rule |
| Description | “Identifies and alerts on internal employee accounts that have been compromised, based on CYFIRMA’s threat intelligence. This rule captures the latest exposure of user credentials, IP addresses, hostnames, operating systems, and pass hashes observed in the threat feed. It supports rapid detection and investigation of phishing, stealer malware, and insider compromise scenarios.” |
| Severity | High |
| Tactics | CredentialAccess InitialAccess Persistence |
| Techniques | T1003 T1552 T1078 T1098 |
| Required data connectors | CyfirmaCompromisedAccountsDataConnector |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/CompromisedEmployeesRule.yaml |
| Version | 1.0.0 |
| Arm template | 72d3fb86-d1eb-44d6-9352-170c6bb45bb7.json |
// Compromised Employees - Latest per UID
let timeFrame = 5m;
CyfirmaCompromisedAccounts_CL
| where TimeGenerated between (ago(timeFrame) .. now())
and Category has "Compromised Employees"
| extend
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| summarize arg_max(TimeGenerated,
url,
ip,
email,
user_name,
computer_name,
operating_system,
breach_date,
first_seen,
last_seen,
impact,
recommendations,
description,
source,
pass_hash,
ProductName,
ProviderName
) by uid
| sort by TimeGenerated desc
tactics:
- CredentialAccess
- InitialAccess
- Persistence
name: CYFIRMA - Compromised Employees Detection Rule
suppressionEnabled: true
requiredDataConnectors:
- connectorId: CyfirmaCompromisedAccountsDataConnector
dataTypes:
- CyfirmaCompromisedAccounts_CL
query: |
// Compromised Employees - Latest per UID
let timeFrame = 5m;
CyfirmaCompromisedAccounts_CL
| where TimeGenerated between (ago(timeFrame) .. now())
and Category has "Compromised Employees"
| extend
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| summarize arg_max(TimeGenerated,
url,
ip,
email,
user_name,
computer_name,
operating_system,
breach_date,
first_seen,
last_seen,
impact,
recommendations,
description,
source,
pass_hash,
ProductName,
ProviderName
) by uid
| sort by TimeGenerated desc
eventGroupingSettings:
aggregationKind: AlertPerResult
relevantTechniques:
- T1003
- T1552
- T1078
- T1098
incidentConfiguration:
createIncident: true
groupingConfiguration:
matchingMethod: AllEntities
reopenClosedIncident: false
lookbackDuration: 5h
enabled: false
description: |
"Identifies and alerts on internal employee accounts that have been compromised, based on CYFIRMA's threat intelligence.
This rule captures the latest exposure of user credentials, IP addresses, hostnames, operating systems, and pass hashes observed in the threat feed.
It supports rapid detection and investigation of phishing, stealer malware, and insider compromise scenarios."
triggerOperator: gt
queryPeriod: 5m
suppressionDuration: 6h
severity: High
entityMappings:
- fieldMappings:
- identifier: Name
columnName: user_name
- identifier: UPNSuffix
columnName: email
entityType: Account
- fieldMappings:
- identifier: HostName
columnName: computer_name
- identifier: OSVersion
columnName: operating_system
entityType: Host
- fieldMappings:
- identifier: Address
columnName: ip
entityType: IP
- fieldMappings:
- identifier: Url
columnName: url
entityType: URL
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/CompromisedEmployeesRule.yaml
version: 1.0.0
alertDetailsOverride:
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: ProviderName
value: ProviderName
alertDisplayNameFormat: Employee Compromised - {{user_name}} - {{email}}
alertDescriptionFormat: '{{description}}'
triggerThreshold: 0
id: 72d3fb86-d1eb-44d6-9352-170c6bb45bb7
queryFrequency: 5m
kind: Scheduled
status: Available
customDetails:
Recommendations: recommendations
Description: description
FirstSeen: first_seen
TimeGenerated: TimeGenerated
Source: source
PassHash: pass_hash
BreachDate: breach_date
LastSeen: last_seen
Impact: impact
UID: uid
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/72d3fb86-d1eb-44d6-9352-170c6bb45bb7')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/72d3fb86-d1eb-44d6-9352-170c6bb45bb7')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{description}}",
"alertDisplayNameFormat": "Employee Compromised - {{user_name}} - {{email}}",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "72d3fb86-d1eb-44d6-9352-170c6bb45bb7",
"customDetails": {
"BreachDate": "breach_date",
"Description": "description",
"FirstSeen": "first_seen",
"Impact": "impact",
"LastSeen": "last_seen",
"PassHash": "pass_hash",
"Recommendations": "recommendations",
"Source": "source",
"TimeGenerated": "TimeGenerated",
"UID": "uid"
},
"description": "\"Identifies and alerts on internal employee accounts that have been compromised, based on CYFIRMA's threat intelligence.\nThis rule captures the latest exposure of user credentials, IP addresses, hostnames, operating systems, and pass hashes observed in the threat feed.\nIt supports rapid detection and investigation of phishing, stealer malware, and insider compromise scenarios.\"\n",
"displayName": "CYFIRMA - Compromised Employees Detection Rule",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "user_name",
"identifier": "Name"
},
{
"columnName": "email",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "computer_name",
"identifier": "HostName"
},
{
"columnName": "operating_system",
"identifier": "OSVersion"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "ip",
"identifier": "Address"
}
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "url",
"identifier": "Url"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/CompromisedEmployeesRule.yaml",
"query": "// Compromised Employees - Latest per UID\nlet timeFrame = 5m;\nCyfirmaCompromisedAccounts_CL\n| where TimeGenerated between (ago(timeFrame) .. now())\n and Category has \"Compromised Employees\"\n| extend \n ProviderName = 'CYFIRMA',\n ProductName = 'DeCYFIR/DeTCT'\n| summarize arg_max(TimeGenerated, \n url,\n ip,\n email,\n user_name,\n computer_name,\n operating_system,\n breach_date,\n first_seen,\n last_seen,\n impact,\n recommendations,\n description,\n source,\n pass_hash,\n ProductName,\n ProviderName\n) by uid\n| sort by TimeGenerated desc\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT6H",
"suppressionEnabled": true,
"tactics": [
"CredentialAccess",
"InitialAccess",
"Persistence"
],
"techniques": [
"T1003",
"T1078",
"T1098",
"T1552"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}