CYFIRMA - Compromised Employees Detection Rule

// Compromised Employees - Latest per UID
let timeFrame = 5m;
CyfirmaCompromisedAccounts_CL
| where TimeGenerated between (ago(timeFrame) .. now())
    and Category has "Compromised Employees"
| extend 
    ProviderName = 'CYFIRMA',
    ProductName = 'DeCYFIR/DeTCT'
| summarize arg_max(TimeGenerated, 
    url,
    ip,
    email,
    user_name,
    computer_name,
    operating_system,
    breach_date,
    first_seen,
    last_seen,
    impact,
    recommendations,
    description,
    source,
    pass_hash,
    ProductName,
    ProviderName
) by uid
| sort by TimeGenerated desc

customDetails:
  TimeGenerated: TimeGenerated
  FirstSeen: first_seen
  Description: description
  Recommendations: recommendations
  Impact: impact
  PassHash: pass_hash
  Source: source
  LastSeen: last_seen
  BreachDate: breach_date
  UID: uid
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/CompromisedEmployeesRule.yaml
suppressionDuration: 6h
requiredDataConnectors:
- dataTypes:
  - CyfirmaCompromisedAccounts_CL
  connectorId: CyfirmaCompromisedAccountsDataConnector
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    enabled: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
  createIncident: true
relevantTechniques:
- T1003
- T1552
- T1078
- T1098
kind: Scheduled
name: CYFIRMA - Compromised Employees Detection Rule
query: |
  // Compromised Employees - Latest per UID
  let timeFrame = 5m;
  CyfirmaCompromisedAccounts_CL
  | where TimeGenerated between (ago(timeFrame) .. now())
      and Category has "Compromised Employees"
  | extend 
      ProviderName = 'CYFIRMA',
      ProductName = 'DeCYFIR/DeTCT'
  | summarize arg_max(TimeGenerated, 
      url,
      ip,
      email,
      user_name,
      computer_name,
      operating_system,
      breach_date,
      first_seen,
      last_seen,
      impact,
      recommendations,
      description,
      source,
      pass_hash,
      ProductName,
      ProviderName
  ) by uid
  | sort by TimeGenerated desc  
tactics:
- CredentialAccess
- InitialAccess
- Persistence
severity: High
suppressionEnabled: true
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: user_name
  - identifier: UPNSuffix
    columnName: email
  entityType: Account
- fieldMappings:
  - identifier: HostName
    columnName: computer_name
  - identifier: OSVersion
    columnName: operating_system
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: ip
  entityType: IP
- fieldMappings:
  - identifier: Url
    columnName: url
  entityType: URL
queryFrequency: 5m
description: |
  "Identifies and alerts on internal employee accounts that have been compromised, based on CYFIRMA's threat intelligence.
  This rule captures the latest exposure of user credentials, IP addresses, hostnames, operating systems, and pass hashes observed in the threat feed.
  It supports rapid detection and investigation of phishing, stealer malware, and insider compromise scenarios."  
alertDetailsOverride:
  alertDisplayNameFormat: Employee Compromised - {{user_name}} - {{email}}
  alertDescriptionFormat: '{{description}}'
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
triggerThreshold: 0
triggerOperator: gt
version: 1.0.1
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryPeriod: 5m
id: 72d3fb86-d1eb-44d6-9352-170c6bb45bb7