Lookout - Critical Smishing and Phishing Alerts v2

Back


Id	7a3e5f9b-4c8d-4a2e-9f1b-6d8e2a4c7f9e
Rulename	Lookout - Critical Smishing and Phishing Alerts (v2)
Description	Detects critical smishing (SMS phishing) and phishing alerts from Lookout Mobile Risk API v2. This rule identifies sophisticated social engineering attacks including CEO fraud, credential harvesting, and malicious link campaigns targeting mobile devices. Leverages enhanced v2 smishing detection capabilities for comprehensive mobile threat protection.
Severity	High
Tactics	InitialAccess CredentialAccess Collection Discovery
Techniques	T1660 T1417 T1423
Required data connectors	LookoutAPI
Kind	Scheduled
Query frequency	5m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutSmishingAlertV2.yaml
Version	2.0.3
Arm template	7a3e5f9b-4c8d-4a2e-9f1b-6d8e2a4c7f9e.json

KQL

LookoutEvents
| where EventType == "SMISHING_ALERT"
| where SmishingAlertSeverity in ("CRITICAL", "HIGH")
| where SmishingAlertType in ("PHISHING_DETECTION", "FRAUD_DETECTION", "CREDENTIAL_HARVESTING")
| extend 
    AlertRiskScore = case(
        SmishingAlertSeverity == "CRITICAL", 10,
        SmishingAlertSeverity == "HIGH", 8,
        SmishingAlertSeverity == "MEDIUM", 5,
        SmishingAlertSeverity == "LOW", 2,
        1
    ),
    ThreatCategory = case(
        SmishingAlertType == "PHISHING_DETECTION", "Phishing",
        SmishingAlertType == "FRAUD_DETECTION", "Fraud",
        SmishingAlertType == "CREDENTIAL_HARVESTING", "Credential Theft",
        SmishingAlertType == "MALICIOUS_LINK", "Malicious Link",
        "Other"
    ),
    ImpersonationRisk = case(
        SmishingAlertDescription has "CEO" or SmishingAlertDescription has "executive", "Executive Impersonation",
        SmishingAlertDescription has "IT" or SmishingAlertDescription has "support", "IT Support Impersonation", 
        SmishingAlertDescription has "bank" or SmishingAlertDescription has "financial", "Financial Impersonation",
        SmishingAlertDescription has "delivery" or SmishingAlertDescription has "package", "Delivery Impersonation",
        "Generic Phishing"
    )
| extend DeviceRiskLevel = case(
    DeviceSecurityStatus == "THREATS_HIGH", "High",
    DeviceSecurityStatus == "THREATS_MEDIUM", "Medium", 
    DeviceSecurityStatus == "THREATS_LOW", "Low",
    "Unknown"
)
| extend CampaignIndicators = case(
    AlertRiskScore >= 8 and DeviceRiskLevel == "High", "Targeted Campaign",
    AlertRiskScore >= 6 and ImpersonationRisk != "Generic Phishing", "Sophisticated Attack",
    AlertRiskScore >= 5, "Coordinated Threat",
    "Isolated Incident"
)
| project
    TimeGenerated,
    EventId,
    SmishingAlertId,
    SmishingAlertType,
    SmishingAlertSeverity,
    SmishingAlertDescription,
    AlertRiskScore,
    ThreatCategory,
    ImpersonationRisk,
    CampaignIndicators,
    DeviceGuid,
    DevicePlatform,
    DeviceOSVersion,
    DeviceManufacturer,
    DeviceModel,
    DeviceEmailAddress,
    DeviceSecurityStatus,
    DeviceRiskLevel,
    TargetEmailAddress,
    TargetPlatform,
    ActorType,
    ActorGuid,
    ChangeType

YAML

status: Available
queryFrequency: 5m
suppressionEnabled: false
queryPeriod: 15m
triggerOperator: gt
query: |
  LookoutEvents
  | where EventType == "SMISHING_ALERT"
  | where SmishingAlertSeverity in ("CRITICAL", "HIGH")
  | where SmishingAlertType in ("PHISHING_DETECTION", "FRAUD_DETECTION", "CREDENTIAL_HARVESTING")
  | extend 
      AlertRiskScore = case(
          SmishingAlertSeverity == "CRITICAL", 10,
          SmishingAlertSeverity == "HIGH", 8,
          SmishingAlertSeverity == "MEDIUM", 5,
          SmishingAlertSeverity == "LOW", 2,
          1
      ),
      ThreatCategory = case(
          SmishingAlertType == "PHISHING_DETECTION", "Phishing",
          SmishingAlertType == "FRAUD_DETECTION", "Fraud",
          SmishingAlertType == "CREDENTIAL_HARVESTING", "Credential Theft",
          SmishingAlertType == "MALICIOUS_LINK", "Malicious Link",
          "Other"
      ),
      ImpersonationRisk = case(
          SmishingAlertDescription has "CEO" or SmishingAlertDescription has "executive", "Executive Impersonation",
          SmishingAlertDescription has "IT" or SmishingAlertDescription has "support", "IT Support Impersonation", 
          SmishingAlertDescription has "bank" or SmishingAlertDescription has "financial", "Financial Impersonation",
          SmishingAlertDescription has "delivery" or SmishingAlertDescription has "package", "Delivery Impersonation",
          "Generic Phishing"
      )
  | extend DeviceRiskLevel = case(
      DeviceSecurityStatus == "THREATS_HIGH", "High",
      DeviceSecurityStatus == "THREATS_MEDIUM", "Medium", 
      DeviceSecurityStatus == "THREATS_LOW", "Low",
      "Unknown"
  )
  | extend CampaignIndicators = case(
      AlertRiskScore >= 8 and DeviceRiskLevel == "High", "Targeted Campaign",
      AlertRiskScore >= 6 and ImpersonationRisk != "Generic Phishing", "Sophisticated Attack",
      AlertRiskScore >= 5, "Coordinated Threat",
      "Isolated Incident"
  )
  | project
      TimeGenerated,
      EventId,
      SmishingAlertId,
      SmishingAlertType,
      SmishingAlertSeverity,
      SmishingAlertDescription,
      AlertRiskScore,
      ThreatCategory,
      ImpersonationRisk,
      CampaignIndicators,
      DeviceGuid,
      DevicePlatform,
      DeviceOSVersion,
      DeviceManufacturer,
      DeviceModel,
      DeviceEmailAddress,
      DeviceSecurityStatus,
      DeviceRiskLevel,
      TargetEmailAddress,
      TargetPlatform,
      ActorType,
      ActorGuid,
      ChangeType  
eventGroupingSettings:
  aggregationKind: AlertPerResult
suppressionDuration: PT1H
tactics:
- InitialAccess
- CredentialAccess
- Collection
- Discovery
triggerThreshold: 0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: DeviceEmailAddress
  - identifier: Name
    columnName: TargetEmailAddress
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: DeviceGuid
  - identifier: OSFamily
    columnName: DevicePlatform
  - identifier: OSVersion
    columnName: DeviceOSVersion
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: SmishingAlertDescription
requiredDataConnectors:
- connectorId: LookoutAPI
  dataTypes:
  - LookoutEvents
alertDetailsOverride:
  alertDescriptionFormat: '{{SmishingAlertSeverity}} {{ThreatCategory}} attack on {{DevicePlatform}}'
  alertDisplayNameFormat: 'Critical Smishing Alert: {{ThreatCategory}} targeting {{DevicePlatform}} Device'
  alertTacticsColumnName: ThreatCategory
  alertSeverityColumnName: SmishingAlertSeverity
relevantTechniques:
- T1660
- T1417
- T1423
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutSmishingAlertV2.yaml
customDetails:
  ImpersonationRisk: ImpersonationRisk
  AlertRiskScore: AlertRiskScore
  CampaignIndicators: CampaignIndicators
  SmishAlertType: SmishingAlertType
  ThreatCategory: ThreatCategory
  DeviceRiskLevel: DeviceRiskLevel
  DeviceSecStatus: DeviceSecurityStatus
  DevicePlatform: DevicePlatform
  SmishSeverity: SmishingAlertSeverity
description: |
    'Detects critical smishing (SMS phishing) and phishing alerts from Lookout Mobile Risk API v2. This rule identifies sophisticated social engineering attacks including CEO fraud, credential harvesting, and malicious link campaigns targeting mobile devices. Leverages enhanced v2 smishing detection capabilities for comprehensive mobile threat protection.'
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    groupByCustomDetails:
    - ThreatCategory
    - ImpersonationRisk
    - CampaignIndicators
    enabled: true
    groupByAlertDetails:
    - SmishAlertType
    - DeviceGuid
    matchingMethod: Selected
    lookbackDuration: P1D
    groupByEntities:
    - Account
    - Host
  createIncident: true
name: Lookout - Critical Smishing and Phishing Alerts (v2)
version: 2.0.3
kind: Scheduled
id: 7a3e5f9b-4c8d-4a2e-9f1b-6d8e2a4c7f9e
severity: High

ARM