Lookout - Critical Smishing and Phishing Alerts v2

Back


Id	7a3e5f9b-4c8d-4a2e-9f1b-6d8e2a4c7f9e
Rulename	Lookout - Critical Smishing and Phishing Alerts (v2)
Description	Detects critical smishing (SMS phishing) and phishing alerts from Lookout Mobile Risk API v2. This rule identifies sophisticated social engineering attacks including CEO fraud, credential harvesting, and malicious link campaigns targeting mobile devices. Leverages enhanced v2 smishing detection capabilities for comprehensive mobile threat protection.
Severity	High
Tactics	InitialAccess CredentialAccess Collection Discovery
Techniques	T1660 T1417 T1423
Required data connectors	LookoutAPI
Kind	Scheduled
Query frequency	5m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutSmishingAlertV2.yaml
Version	2.0.3
Arm template	7a3e5f9b-4c8d-4a2e-9f1b-6d8e2a4c7f9e.json

KQL

LookoutEvents
| where EventType == "SMISHING_ALERT"
| where SmishingAlertSeverity in ("CRITICAL", "HIGH")
| where SmishingAlertType in ("PHISHING_DETECTION", "FRAUD_DETECTION", "CREDENTIAL_HARVESTING")
| extend 
    AlertRiskScore = case(
        SmishingAlertSeverity == "CRITICAL", 10,
        SmishingAlertSeverity == "HIGH", 8,
        SmishingAlertSeverity == "MEDIUM", 5,
        SmishingAlertSeverity == "LOW", 2,
        1
    ),
    ThreatCategory = case(
        SmishingAlertType == "PHISHING_DETECTION", "Phishing",
        SmishingAlertType == "FRAUD_DETECTION", "Fraud",
        SmishingAlertType == "CREDENTIAL_HARVESTING", "Credential Theft",
        SmishingAlertType == "MALICIOUS_LINK", "Malicious Link",
        "Other"
    ),
    ImpersonationRisk = case(
        SmishingAlertDescription has "CEO" or SmishingAlertDescription has "executive", "Executive Impersonation",
        SmishingAlertDescription has "IT" or SmishingAlertDescription has "support", "IT Support Impersonation", 
        SmishingAlertDescription has "bank" or SmishingAlertDescription has "financial", "Financial Impersonation",
        SmishingAlertDescription has "delivery" or SmishingAlertDescription has "package", "Delivery Impersonation",
        "Generic Phishing"
    )
| extend DeviceRiskLevel = case(
    DeviceSecurityStatus == "THREATS_HIGH", "High",
    DeviceSecurityStatus == "THREATS_MEDIUM", "Medium", 
    DeviceSecurityStatus == "THREATS_LOW", "Low",
    "Unknown"
)
| extend CampaignIndicators = case(
    AlertRiskScore >= 8 and DeviceRiskLevel == "High", "Targeted Campaign",
    AlertRiskScore >= 6 and ImpersonationRisk != "Generic Phishing", "Sophisticated Attack",
    AlertRiskScore >= 5, "Coordinated Threat",
    "Isolated Incident"
)
| project
    TimeGenerated,
    EventId,
    SmishingAlertId,
    SmishingAlertType,
    SmishingAlertSeverity,
    SmishingAlertDescription,
    AlertRiskScore,
    ThreatCategory,
    ImpersonationRisk,
    CampaignIndicators,
    DeviceGuid,
    DevicePlatform,
    DeviceOSVersion,
    DeviceManufacturer,
    DeviceModel,
    DeviceEmailAddress,
    DeviceSecurityStatus,
    DeviceRiskLevel,
    TargetEmailAddress,
    TargetPlatform,
    ActorType,
    ActorGuid,
    ChangeType

YAML

eventGroupingSettings:
  aggregationKind: AlertPerResult
suppressionEnabled: false
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutSmishingAlertV2.yaml
query: |
  LookoutEvents
  | where EventType == "SMISHING_ALERT"
  | where SmishingAlertSeverity in ("CRITICAL", "HIGH")
  | where SmishingAlertType in ("PHISHING_DETECTION", "FRAUD_DETECTION", "CREDENTIAL_HARVESTING")
  | extend 
      AlertRiskScore = case(
          SmishingAlertSeverity == "CRITICAL", 10,
          SmishingAlertSeverity == "HIGH", 8,
          SmishingAlertSeverity == "MEDIUM", 5,
          SmishingAlertSeverity == "LOW", 2,
          1
      ),
      ThreatCategory = case(
          SmishingAlertType == "PHISHING_DETECTION", "Phishing",
          SmishingAlertType == "FRAUD_DETECTION", "Fraud",
          SmishingAlertType == "CREDENTIAL_HARVESTING", "Credential Theft",
          SmishingAlertType == "MALICIOUS_LINK", "Malicious Link",
          "Other"
      ),
      ImpersonationRisk = case(
          SmishingAlertDescription has "CEO" or SmishingAlertDescription has "executive", "Executive Impersonation",
          SmishingAlertDescription has "IT" or SmishingAlertDescription has "support", "IT Support Impersonation", 
          SmishingAlertDescription has "bank" or SmishingAlertDescription has "financial", "Financial Impersonation",
          SmishingAlertDescription has "delivery" or SmishingAlertDescription has "package", "Delivery Impersonation",
          "Generic Phishing"
      )
  | extend DeviceRiskLevel = case(
      DeviceSecurityStatus == "THREATS_HIGH", "High",
      DeviceSecurityStatus == "THREATS_MEDIUM", "Medium", 
      DeviceSecurityStatus == "THREATS_LOW", "Low",
      "Unknown"
  )
  | extend CampaignIndicators = case(
      AlertRiskScore >= 8 and DeviceRiskLevel == "High", "Targeted Campaign",
      AlertRiskScore >= 6 and ImpersonationRisk != "Generic Phishing", "Sophisticated Attack",
      AlertRiskScore >= 5, "Coordinated Threat",
      "Isolated Incident"
  )
  | project
      TimeGenerated,
      EventId,
      SmishingAlertId,
      SmishingAlertType,
      SmishingAlertSeverity,
      SmishingAlertDescription,
      AlertRiskScore,
      ThreatCategory,
      ImpersonationRisk,
      CampaignIndicators,
      DeviceGuid,
      DevicePlatform,
      DeviceOSVersion,
      DeviceManufacturer,
      DeviceModel,
      DeviceEmailAddress,
      DeviceSecurityStatus,
      DeviceRiskLevel,
      TargetEmailAddress,
      TargetPlatform,
      ActorType,
      ActorGuid,
      ChangeType  
version: 2.0.3
queryFrequency: 5m
id: 7a3e5f9b-4c8d-4a2e-9f1b-6d8e2a4c7f9e
requiredDataConnectors:
- dataTypes:
  - LookoutEvents
  connectorId: LookoutAPI
name: Lookout - Critical Smishing and Phishing Alerts (v2)
description: |
    'Detects critical smishing (SMS phishing) and phishing alerts from Lookout Mobile Risk API v2. This rule identifies sophisticated social engineering attacks including CEO fraud, credential harvesting, and malicious link campaigns targeting mobile devices. Leverages enhanced v2 smishing detection capabilities for comprehensive mobile threat protection.'
incidentConfiguration:
  groupingConfiguration:
    groupByEntities:
    - Account
    - Host
    enabled: true
    matchingMethod: Selected
    reopenClosedIncident: false
    groupByCustomDetails:
    - ThreatCategory
    - ImpersonationRisk
    - CampaignIndicators
    lookbackDuration: P1D
    groupByAlertDetails:
    - SmishAlertType
    - DeviceGuid
  createIncident: true
tactics:
- InitialAccess
- CredentialAccess
- Collection
- Discovery
suppressionDuration: PT1H
triggerOperator: gt
alertDetailsOverride:
  alertTacticsColumnName: ThreatCategory
  alertDescriptionFormat: '{{SmishingAlertSeverity}} {{ThreatCategory}} attack on {{DevicePlatform}}'
  alertDisplayNameFormat: 'Critical Smishing Alert: {{ThreatCategory}} targeting {{DevicePlatform}} Device'
  alertSeverityColumnName: SmishingAlertSeverity
queryPeriod: 15m
kind: Scheduled
status: Available
severity: High
relevantTechniques:
- T1660
- T1417
- T1423
customDetails:
  DeviceSecStatus: DeviceSecurityStatus
  ImpersonationRisk: ImpersonationRisk
  CampaignIndicators: CampaignIndicators
  SmishAlertType: SmishingAlertType
  DeviceRiskLevel: DeviceRiskLevel
  ThreatCategory: ThreatCategory
  SmishSeverity: SmishingAlertSeverity
  AlertRiskScore: AlertRiskScore
  DevicePlatform: DevicePlatform
triggerThreshold: 0
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: DeviceEmailAddress
    identifier: FullName
  - columnName: TargetEmailAddress
    identifier: Name
- entityType: Host
  fieldMappings:
  - columnName: DeviceGuid
    identifier: HostName
  - columnName: DevicePlatform
    identifier: OSFamily
  - columnName: DeviceOSVersion
    identifier: OSVersion
- entityType: URL
  fieldMappings:
  - columnName: SmishingAlertDescription
    identifier: Url

ARM