CYFIRMA - Compromised Employees Detection Rule

// Compromised Employees - Latest per UID
let timeFrame = 5m;
CyfirmaCompromisedAccounts_CL
| where TimeGenerated between (ago(timeFrame) .. now())
    and Category has "Compromised Employees"
| extend 
    ProviderName = 'CYFIRMA',
    ProductName = 'DeCYFIR/DeTCT'
| summarize arg_max(TimeGenerated, 
    url,
    ip,
    email,
    user_name,
    computer_name,
    operating_system,
    breach_date,
    first_seen,
    last_seen,
    impact,
    recommendations,
    description,
    source,
    pass_hash,
    ProductName,
    ProviderName
) by uid
| sort by TimeGenerated desc

suppressionEnabled: true
kind: Scheduled
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 5m
suppressionDuration: 6h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/CompromisedEmployeesRule.yaml
alertDetailsOverride:
  alertDisplayNameFormat: Employee Compromised - {{user_name}} - {{email}}
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
  alertDescriptionFormat: '{{description}}'
severity: High
triggerOperator: gt
triggerThreshold: 0
name: CYFIRMA - Compromised Employees Detection Rule
customDetails:
  FirstSeen: first_seen
  Source: source
  UID: uid
  PassHash: pass_hash
  Impact: impact
  LastSeen: last_seen
  Recommendations: recommendations
  Description: description
  TimeGenerated: TimeGenerated
  BreachDate: breach_date
entityMappings:
- fieldMappings:
  - columnName: user_name
    identifier: Name
  - columnName: email
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: computer_name
    identifier: HostName
  - columnName: operating_system
    identifier: OSVersion
  entityType: Host
- fieldMappings:
  - columnName: ip
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: url
    identifier: Url
  entityType: URL
requiredDataConnectors:
- connectorId: CyfirmaCompromisedAccountsDataConnector
  dataTypes:
  - CyfirmaCompromisedAccounts_CL
id: 72d3fb86-d1eb-44d6-9352-170c6bb45bb7
queryPeriod: 5m
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    matchingMethod: AllEntities
    reopenClosedIncident: false
    lookbackDuration: PT5H
tactics:
- CredentialAccess
- InitialAccess
- Persistence
description: |
  "Identifies and alerts on internal employee accounts that have been compromised, based on CYFIRMA's threat intelligence.
  This rule captures the latest exposure of user credentials, IP addresses, hostnames, operating systems, and pass hashes observed in the threat feed.
  It supports rapid detection and investigation of phishing, stealer malware, and insider compromise scenarios."  
relevantTechniques:
- T1003
- T1552
- T1078
- T1098
status: Available
version: 1.0.1
query: |
  // Compromised Employees - Latest per UID
  let timeFrame = 5m;
  CyfirmaCompromisedAccounts_CL
  | where TimeGenerated between (ago(timeFrame) .. now())
      and Category has "Compromised Employees"
  | extend 
      ProviderName = 'CYFIRMA',
      ProductName = 'DeCYFIR/DeTCT'
  | summarize arg_max(TimeGenerated, 
      url,
      ip,
      email,
      user_name,
      computer_name,
      operating_system,
      breach_date,
      first_seen,
      last_seen,
      impact,
      recommendations,
      description,
      source,
      pass_hash,
      ProductName,
      ProviderName
  ) by uid
  | sort by TimeGenerated desc