CYFIRMA - Compromised Employees Detection Rule

// Compromised Employees - Latest per UID
let timeFrame = 5m;
CyfirmaCompromisedAccounts_CL
| where TimeGenerated between (ago(timeFrame) .. now())
    and Category has "Compromised Employees"
| extend 
    ProviderName = 'CYFIRMA',
    ProductName = 'DeCYFIR/DeTCT'
| summarize arg_max(TimeGenerated, 
    url,
    ip,
    email,
    user_name,
    computer_name,
    operating_system,
    breach_date,
    first_seen,
    last_seen,
    impact,
    recommendations,
    description,
    source,
    pass_hash,
    ProductName,
    ProviderName
) by uid
| sort by TimeGenerated desc

queryPeriod: 5m
relevantTechniques:
- T1003
- T1552
- T1078
- T1098
kind: Scheduled
query: |
  // Compromised Employees - Latest per UID
  let timeFrame = 5m;
  CyfirmaCompromisedAccounts_CL
  | where TimeGenerated between (ago(timeFrame) .. now())
      and Category has "Compromised Employees"
  | extend 
      ProviderName = 'CYFIRMA',
      ProductName = 'DeCYFIR/DeTCT'
  | summarize arg_max(TimeGenerated, 
      url,
      ip,
      email,
      user_name,
      computer_name,
      operating_system,
      breach_date,
      first_seen,
      last_seen,
      impact,
      recommendations,
      description,
      source,
      pass_hash,
      ProductName,
      ProviderName
  ) by uid
  | sort by TimeGenerated desc  
triggerThreshold: 0
triggerOperator: gt
tactics:
- CredentialAccess
- InitialAccess
- Persistence
queryFrequency: 5m
suppressionEnabled: true
incidentConfiguration:
  groupingConfiguration:
    enabled: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
    reopenClosedIncident: false
  createIncident: true
eventGroupingSettings:
  aggregationKind: AlertPerResult
alertDetailsOverride:
  alertDisplayNameFormat: Employee Compromised - {{user_name}} - {{email}}
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
  alertDescriptionFormat: '{{description}}'
id: 72d3fb86-d1eb-44d6-9352-170c6bb45bb7
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/CompromisedEmployeesRule.yaml
version: 1.0.1
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: user_name
  - identifier: UPNSuffix
    columnName: email
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: computer_name
  - identifier: OSVersion
    columnName: operating_system
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: ip
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: url
suppressionDuration: 6h
customDetails:
  TimeGenerated: TimeGenerated
  LastSeen: last_seen
  Impact: impact
  UID: uid
  PassHash: pass_hash
  Source: source
  FirstSeen: first_seen
  Recommendations: recommendations
  Description: description
  BreachDate: breach_date
status: Available
name: CYFIRMA - Compromised Employees Detection Rule
severity: High
requiredDataConnectors:
- dataTypes:
  - CyfirmaCompromisedAccounts_CL
  connectorId: CyfirmaCompromisedAccountsDataConnector
description: |
  "Identifies and alerts on internal employee accounts that have been compromised, based on CYFIRMA's threat intelligence.
  This rule captures the latest exposure of user credentials, IP addresses, hostnames, operating systems, and pass hashes observed in the threat feed.
  It supports rapid detection and investigation of phishing, stealer malware, and insider compromise scenarios."