CYFIRMA - Compromised Employees Detection Rule
| Id | 72d3fb86-d1eb-44d6-9352-170c6bb45bb7 |
| Rulename | CYFIRMA - Compromised Employees Detection Rule |
| Description | “Identifies and alerts on internal employee accounts that have been compromised, based on CYFIRMA’s threat intelligence. This rule captures the latest exposure of user credentials, IP addresses, hostnames, operating systems, and pass hashes observed in the threat feed. It supports rapid detection and investigation of phishing, stealer malware, and insider compromise scenarios.” |
| Severity | High |
| Tactics | CredentialAccess InitialAccess Persistence |
| Techniques | T1003 T1552 T1078 T1098 |
| Required data connectors | CyfirmaCompromisedAccountsDataConnector |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/CompromisedEmployeesRule.yaml |
| Version | 1.0.0 |
| Arm template | 72d3fb86-d1eb-44d6-9352-170c6bb45bb7.json |
// Compromised Employees - Latest per UID
let timeFrame = 5m;
CyfirmaCompromisedAccounts_CL
| where TimeGenerated between (ago(timeFrame) .. now())
and Category has "Compromised Employees"
| extend
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| summarize arg_max(TimeGenerated,
url,
ip,
email,
user_name,
computer_name,
operating_system,
breach_date,
first_seen,
last_seen,
impact,
recommendations,
description,
source,
pass_hash,
ProductName,
ProviderName
) by uid
| sort by TimeGenerated desc
requiredDataConnectors:
- connectorId: CyfirmaCompromisedAccountsDataConnector
dataTypes:
- CyfirmaCompromisedAccounts_CL
tactics:
- CredentialAccess
- InitialAccess
- Persistence
eventGroupingSettings:
aggregationKind: AlertPerResult
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: false
lookbackDuration: 5h
matchingMethod: AllEntities
reopenClosedIncident: false
description: |
"Identifies and alerts on internal employee accounts that have been compromised, based on CYFIRMA's threat intelligence.
This rule captures the latest exposure of user credentials, IP addresses, hostnames, operating systems, and pass hashes observed in the threat feed.
It supports rapid detection and investigation of phishing, stealer malware, and insider compromise scenarios."
query: |
// Compromised Employees - Latest per UID
let timeFrame = 5m;
CyfirmaCompromisedAccounts_CL
| where TimeGenerated between (ago(timeFrame) .. now())
and Category has "Compromised Employees"
| extend
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| summarize arg_max(TimeGenerated,
url,
ip,
email,
user_name,
computer_name,
operating_system,
breach_date,
first_seen,
last_seen,
impact,
recommendations,
description,
source,
pass_hash,
ProductName,
ProviderName
) by uid
| sort by TimeGenerated desc
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/CompromisedEmployeesRule.yaml
id: 72d3fb86-d1eb-44d6-9352-170c6bb45bb7
triggerOperator: gt
alertDetailsOverride:
alertDisplayNameFormat: Employee Compromised - {{user_name}} - {{email}}
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: ProviderName
value: ProviderName
alertDescriptionFormat: '{{description}}'
status: Available
triggerThreshold: 0
queryFrequency: 5m
severity: High
entityMappings:
- fieldMappings:
- columnName: user_name
identifier: Name
- columnName: email
identifier: UPNSuffix
entityType: Account
- fieldMappings:
- columnName: computer_name
identifier: HostName
- columnName: operating_system
identifier: OSVersion
entityType: Host
- fieldMappings:
- columnName: ip
identifier: Address
entityType: IP
- fieldMappings:
- columnName: url
identifier: Url
entityType: URL
name: CYFIRMA - Compromised Employees Detection Rule
suppressionDuration: 6h
queryPeriod: 5m
relevantTechniques:
- T1003
- T1552
- T1078
- T1098
kind: Scheduled
suppressionEnabled: true
version: 1.0.0
customDetails:
FirstSeen: first_seen
Description: description
PassHash: pass_hash
Impact: impact
TimeGenerated: TimeGenerated
BreachDate: breach_date
Recommendations: recommendations
LastSeen: last_seen
Source: source
UID: uid
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/72d3fb86-d1eb-44d6-9352-170c6bb45bb7')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/72d3fb86-d1eb-44d6-9352-170c6bb45bb7')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{description}}",
"alertDisplayNameFormat": "Employee Compromised - {{user_name}} - {{email}}",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "72d3fb86-d1eb-44d6-9352-170c6bb45bb7",
"customDetails": {
"BreachDate": "breach_date",
"Description": "description",
"FirstSeen": "first_seen",
"Impact": "impact",
"LastSeen": "last_seen",
"PassHash": "pass_hash",
"Recommendations": "recommendations",
"Source": "source",
"TimeGenerated": "TimeGenerated",
"UID": "uid"
},
"description": "\"Identifies and alerts on internal employee accounts that have been compromised, based on CYFIRMA's threat intelligence.\nThis rule captures the latest exposure of user credentials, IP addresses, hostnames, operating systems, and pass hashes observed in the threat feed.\nIt supports rapid detection and investigation of phishing, stealer malware, and insider compromise scenarios.\"\n",
"displayName": "CYFIRMA - Compromised Employees Detection Rule",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "user_name",
"identifier": "Name"
},
{
"columnName": "email",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "computer_name",
"identifier": "HostName"
},
{
"columnName": "operating_system",
"identifier": "OSVersion"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "ip",
"identifier": "Address"
}
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "url",
"identifier": "Url"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/CompromisedEmployeesRule.yaml",
"query": "// Compromised Employees - Latest per UID\nlet timeFrame = 5m;\nCyfirmaCompromisedAccounts_CL\n| where TimeGenerated between (ago(timeFrame) .. now())\n and Category has \"Compromised Employees\"\n| extend \n ProviderName = 'CYFIRMA',\n ProductName = 'DeCYFIR/DeTCT'\n| summarize arg_max(TimeGenerated, \n url,\n ip,\n email,\n user_name,\n computer_name,\n operating_system,\n breach_date,\n first_seen,\n last_seen,\n impact,\n recommendations,\n description,\n source,\n pass_hash,\n ProductName,\n ProviderName\n) by uid\n| sort by TimeGenerated desc\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT6H",
"suppressionEnabled": true,
"tactics": [
"CredentialAccess",
"InitialAccess",
"Persistence"
],
"techniques": [
"T1003",
"T1078",
"T1098",
"T1552"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}