Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CYFIRMA - Compromised Employees Detection Rule

Back
Id72d3fb86-d1eb-44d6-9352-170c6bb45bb7
RulenameCYFIRMA - Compromised Employees Detection Rule
Description“Identifies and alerts on internal employee accounts that have been compromised, based on CYFIRMA’s threat intelligence.

This rule captures the latest exposure of user credentials, IP addresses, hostnames, operating systems, and pass hashes observed in the threat feed.

It supports rapid detection and investigation of phishing, stealer malware, and insider compromise scenarios.”
SeverityHigh
TacticsCredentialAccess
InitialAccess
Persistence
TechniquesT1003
T1552
T1078
T1098
Required data connectorsCyfirmaCompromisedAccountsDataConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/CompromisedEmployeesRule.yaml
Version1.0.0
Arm template72d3fb86-d1eb-44d6-9352-170c6bb45bb7.json
Deploy To Azure
// Compromised Employees - Latest per UID
let timeFrame = 5m;
CyfirmaCompromisedAccounts_CL
| where TimeGenerated between (ago(timeFrame) .. now())
    and Category has "Compromised Employees"
| extend 
    ProviderName = 'CYFIRMA',
    ProductName = 'DeCYFIR/DeTCT'
| summarize arg_max(TimeGenerated, 
    url,
    ip,
    email,
    user_name,
    computer_name,
    operating_system,
    breach_date,
    first_seen,
    last_seen,
    impact,
    recommendations,
    description,
    source,
    pass_hash,
    ProductName,
    ProviderName
) by uid
| sort by TimeGenerated desc
tactics:
- CredentialAccess
- InitialAccess
- Persistence
name: CYFIRMA - Compromised Employees Detection Rule
suppressionEnabled: true
requiredDataConnectors:
- connectorId: CyfirmaCompromisedAccountsDataConnector
  dataTypes:
  - CyfirmaCompromisedAccounts_CL
query: |
  // Compromised Employees - Latest per UID
  let timeFrame = 5m;
  CyfirmaCompromisedAccounts_CL
  | where TimeGenerated between (ago(timeFrame) .. now())
      and Category has "Compromised Employees"
  | extend 
      ProviderName = 'CYFIRMA',
      ProductName = 'DeCYFIR/DeTCT'
  | summarize arg_max(TimeGenerated, 
      url,
      ip,
      email,
      user_name,
      computer_name,
      operating_system,
      breach_date,
      first_seen,
      last_seen,
      impact,
      recommendations,
      description,
      source,
      pass_hash,
      ProductName,
      ProviderName
  ) by uid
  | sort by TimeGenerated desc  
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1003
- T1552
- T1078
- T1098
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    reopenClosedIncident: false
    lookbackDuration: 5h
    enabled: false
description: |
  "Identifies and alerts on internal employee accounts that have been compromised, based on CYFIRMA's threat intelligence.
  This rule captures the latest exposure of user credentials, IP addresses, hostnames, operating systems, and pass hashes observed in the threat feed.
  It supports rapid detection and investigation of phishing, stealer malware, and insider compromise scenarios."  
triggerOperator: gt
queryPeriod: 5m
suppressionDuration: 6h
severity: High
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: user_name
  - identifier: UPNSuffix
    columnName: email
  entityType: Account
- fieldMappings:
  - identifier: HostName
    columnName: computer_name
  - identifier: OSVersion
    columnName: operating_system
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: ip
  entityType: IP
- fieldMappings:
  - identifier: Url
    columnName: url
  entityType: URL
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/CompromisedEmployeesRule.yaml
version: 1.0.0
alertDetailsOverride:
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
  alertDisplayNameFormat: Employee Compromised - {{user_name}} - {{email}}
  alertDescriptionFormat: '{{description}}'
triggerThreshold: 0
id: 72d3fb86-d1eb-44d6-9352-170c6bb45bb7
queryFrequency: 5m
kind: Scheduled
status: Available
customDetails:
  Recommendations: recommendations
  Description: description
  FirstSeen: first_seen
  TimeGenerated: TimeGenerated
  Source: source
  PassHash: pass_hash
  BreachDate: breach_date
  LastSeen: last_seen
  Impact: impact
  UID: uid
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/72d3fb86-d1eb-44d6-9352-170c6bb45bb7')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/72d3fb86-d1eb-44d6-9352-170c6bb45bb7')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{description}}",
          "alertDisplayNameFormat": "Employee Compromised - {{user_name}} - {{email}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            },
            {
              "alertProperty": "ProviderName",
              "value": "ProviderName"
            }
          ]
        },
        "alertRuleTemplateName": "72d3fb86-d1eb-44d6-9352-170c6bb45bb7",
        "customDetails": {
          "BreachDate": "breach_date",
          "Description": "description",
          "FirstSeen": "first_seen",
          "Impact": "impact",
          "LastSeen": "last_seen",
          "PassHash": "pass_hash",
          "Recommendations": "recommendations",
          "Source": "source",
          "TimeGenerated": "TimeGenerated",
          "UID": "uid"
        },
        "description": "\"Identifies and alerts on internal employee accounts that have been compromised, based on CYFIRMA's threat intelligence.\nThis rule captures the latest exposure of user credentials, IP addresses, hostnames, operating systems, and pass hashes observed in the threat feed.\nIt supports rapid detection and investigation of phishing, stealer malware, and insider compromise scenarios.\"\n",
        "displayName": "CYFIRMA - Compromised Employees Detection Rule",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "user_name",
                "identifier": "Name"
              },
              {
                "columnName": "email",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "computer_name",
                "identifier": "HostName"
              },
              {
                "columnName": "operating_system",
                "identifier": "OSVersion"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "ip",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "url",
                "identifier": "Url"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/CompromisedEmployeesRule.yaml",
        "query": "// Compromised Employees - Latest per UID\nlet timeFrame = 5m;\nCyfirmaCompromisedAccounts_CL\n| where TimeGenerated between (ago(timeFrame) .. now())\n    and Category has \"Compromised Employees\"\n| extend \n    ProviderName = 'CYFIRMA',\n    ProductName = 'DeCYFIR/DeTCT'\n| summarize arg_max(TimeGenerated, \n    url,\n    ip,\n    email,\n    user_name,\n    computer_name,\n    operating_system,\n    breach_date,\n    first_seen,\n    last_seen,\n    impact,\n    recommendations,\n    description,\n    source,\n    pass_hash,\n    ProductName,\n    ProviderName\n) by uid\n| sort by TimeGenerated desc\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT6H",
        "suppressionEnabled": true,
        "tactics": [
          "CredentialAccess",
          "InitialAccess",
          "Persistence"
        ],
        "techniques": [
          "T1003",
          "T1078",
          "T1098",
          "T1552"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}