CYFIRMA - Compromised Employees Detection Rule

// Compromised Employees - Latest per UID
let timeFrame = 5m;
CyfirmaCompromisedAccounts_CL
| where TimeGenerated between (ago(timeFrame) .. now())
    and Category has "Compromised Employees"
| extend 
    ProviderName = 'CYFIRMA',
    ProductName = 'DeCYFIR/DeTCT'
| summarize arg_max(TimeGenerated, 
    url,
    ip,
    email,
    user_name,
    computer_name,
    operating_system,
    breach_date,
    first_seen,
    last_seen,
    impact,
    recommendations,
    description,
    source,
    pass_hash,
    ProductName,
    ProviderName
) by uid
| sort by TimeGenerated desc

queryFrequency: 5m
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: user_name
    identifier: Name
  - columnName: email
    identifier: UPNSuffix
- entityType: Host
  fieldMappings:
  - columnName: computer_name
    identifier: HostName
  - columnName: operating_system
    identifier: OSVersion
- entityType: IP
  fieldMappings:
  - columnName: ip
    identifier: Address
- entityType: URL
  fieldMappings:
  - columnName: url
    identifier: Url
eventGroupingSettings:
  aggregationKind: AlertPerResult
version: 1.0.1
id: 72d3fb86-d1eb-44d6-9352-170c6bb45bb7
suppressionEnabled: true
severity: High
kind: Scheduled
suppressionDuration: 6h
description: |
  "Identifies and alerts on internal employee accounts that have been compromised, based on CYFIRMA's threat intelligence.
  This rule captures the latest exposure of user credentials, IP addresses, hostnames, operating systems, and pass hashes observed in the threat feed.
  It supports rapid detection and investigation of phishing, stealer malware, and insider compromise scenarios."  
relevantTechniques:
- T1003
- T1552
- T1078
- T1098
requiredDataConnectors:
- connectorId: CyfirmaCompromisedAccountsDataConnector
  dataTypes:
  - CyfirmaCompromisedAccounts_CL
triggerOperator: gt
name: CYFIRMA - Compromised Employees Detection Rule
tactics:
- CredentialAccess
- InitialAccess
- Persistence
alertDetailsOverride:
  alertDescriptionFormat: '{{description}}'
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
  alertDisplayNameFormat: Employee Compromised - {{user_name}} - {{email}}
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/CompromisedEmployeesRule.yaml
triggerThreshold: 0
queryPeriod: 5m
query: |
  // Compromised Employees - Latest per UID
  let timeFrame = 5m;
  CyfirmaCompromisedAccounts_CL
  | where TimeGenerated between (ago(timeFrame) .. now())
      and Category has "Compromised Employees"
  | extend 
      ProviderName = 'CYFIRMA',
      ProductName = 'DeCYFIR/DeTCT'
  | summarize arg_max(TimeGenerated, 
      url,
      ip,
      email,
      user_name,
      computer_name,
      operating_system,
      breach_date,
      first_seen,
      last_seen,
      impact,
      recommendations,
      description,
      source,
      pass_hash,
      ProductName,
      ProviderName
  ) by uid
  | sort by TimeGenerated desc  
status: Available
customDetails:
  Description: description
  TimeGenerated: TimeGenerated
  Impact: impact
  Source: source
  FirstSeen: first_seen
  LastSeen: last_seen
  Recommendations: recommendations
  PassHash: pass_hash
  UID: uid
  BreachDate: breach_date
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: PT5H
    enabled: false
    reopenClosedIncident: false
    matchingMethod: AllEntities