Lookout - Critical Smishing and Phishing Alerts v2

Back


Id	7a3e5f9b-4c8d-4a2e-9f1b-6d8e2a4c7f9e
Rulename	Lookout - Critical Smishing and Phishing Alerts (v2)
Description	Detects critical smishing (SMS phishing) and phishing alerts from Lookout Mobile Risk API v2. This rule identifies sophisticated social engineering attacks including CEO fraud, credential harvesting, and malicious link campaigns targeting mobile devices. Leverages enhanced v2 smishing detection capabilities for comprehensive mobile threat protection.
Severity	High
Tactics	InitialAccess CredentialAccess Collection Discovery
Techniques	T1660 T1417 T1423
Required data connectors	LookoutAPI
Kind	Scheduled
Query frequency	5m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutSmishingAlertV2.yaml
Version	2.0.3
Arm template	7a3e5f9b-4c8d-4a2e-9f1b-6d8e2a4c7f9e.json

KQL

LookoutEvents
| where EventType == "SMISHING_ALERT"
| where SmishingAlertSeverity in ("CRITICAL", "HIGH")
| where SmishingAlertType in ("PHISHING_DETECTION", "FRAUD_DETECTION", "CREDENTIAL_HARVESTING")
| extend 
    AlertRiskScore = case(
        SmishingAlertSeverity == "CRITICAL", 10,
        SmishingAlertSeverity == "HIGH", 8,
        SmishingAlertSeverity == "MEDIUM", 5,
        SmishingAlertSeverity == "LOW", 2,
        1
    ),
    ThreatCategory = case(
        SmishingAlertType == "PHISHING_DETECTION", "Phishing",
        SmishingAlertType == "FRAUD_DETECTION", "Fraud",
        SmishingAlertType == "CREDENTIAL_HARVESTING", "Credential Theft",
        SmishingAlertType == "MALICIOUS_LINK", "Malicious Link",
        "Other"
    ),
    ImpersonationRisk = case(
        SmishingAlertDescription has "CEO" or SmishingAlertDescription has "executive", "Executive Impersonation",
        SmishingAlertDescription has "IT" or SmishingAlertDescription has "support", "IT Support Impersonation", 
        SmishingAlertDescription has "bank" or SmishingAlertDescription has "financial", "Financial Impersonation",
        SmishingAlertDescription has "delivery" or SmishingAlertDescription has "package", "Delivery Impersonation",
        "Generic Phishing"
    )
| extend DeviceRiskLevel = case(
    DeviceSecurityStatus == "THREATS_HIGH", "High",
    DeviceSecurityStatus == "THREATS_MEDIUM", "Medium", 
    DeviceSecurityStatus == "THREATS_LOW", "Low",
    "Unknown"
)
| extend CampaignIndicators = case(
    AlertRiskScore >= 8 and DeviceRiskLevel == "High", "Targeted Campaign",
    AlertRiskScore >= 6 and ImpersonationRisk != "Generic Phishing", "Sophisticated Attack",
    AlertRiskScore >= 5, "Coordinated Threat",
    "Isolated Incident"
)
| project
    TimeGenerated,
    EventId,
    SmishingAlertId,
    SmishingAlertType,
    SmishingAlertSeverity,
    SmishingAlertDescription,
    AlertRiskScore,
    ThreatCategory,
    ImpersonationRisk,
    CampaignIndicators,
    DeviceGuid,
    DevicePlatform,
    DeviceOSVersion,
    DeviceManufacturer,
    DeviceModel,
    DeviceEmailAddress,
    DeviceSecurityStatus,
    DeviceRiskLevel,
    TargetEmailAddress,
    TargetPlatform,
    ActorType,
    ActorGuid,
    ChangeType

YAML

entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: DeviceEmailAddress
  - identifier: Name
    columnName: TargetEmailAddress
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: DeviceGuid
  - identifier: OSFamily
    columnName: DevicePlatform
  - identifier: OSVersion
    columnName: DeviceOSVersion
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: SmishingAlertDescription
tactics:
- InitialAccess
- CredentialAccess
- Collection
- Discovery
suppressionEnabled: false
suppressionDuration: PT1H
requiredDataConnectors:
- dataTypes:
  - LookoutEvents
  connectorId: LookoutAPI
alertDetailsOverride:
  alertDisplayNameFormat: 'Critical Smishing Alert: {{ThreatCategory}} targeting {{DevicePlatform}} Device'
  alertDescriptionFormat: '{{SmishingAlertSeverity}} {{ThreatCategory}} attack on {{DevicePlatform}}'
  alertTacticsColumnName: ThreatCategory
  alertSeverityColumnName: SmishingAlertSeverity
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    groupByAlertDetails:
    - SmishAlertType
    - DeviceGuid
    lookbackDuration: P1D
    groupByEntities:
    - Account
    - Host
    groupByCustomDetails:
    - ThreatCategory
    - ImpersonationRisk
    - CampaignIndicators
    enabled: true
    matchingMethod: Selected
  createIncident: true
id: 7a3e5f9b-4c8d-4a2e-9f1b-6d8e2a4c7f9e
severity: High
eventGroupingSettings:
  aggregationKind: AlertPerResult
status: Available
customDetails:
  SmishSeverity: SmishingAlertSeverity
  SmishAlertType: SmishingAlertType
  AlertRiskScore: AlertRiskScore
  DeviceRiskLevel: DeviceRiskLevel
  ThreatCategory: ThreatCategory
  CampaignIndicators: CampaignIndicators
  DevicePlatform: DevicePlatform
  ImpersonationRisk: ImpersonationRisk
  DeviceSecStatus: DeviceSecurityStatus
query: |
  LookoutEvents
  | where EventType == "SMISHING_ALERT"
  | where SmishingAlertSeverity in ("CRITICAL", "HIGH")
  | where SmishingAlertType in ("PHISHING_DETECTION", "FRAUD_DETECTION", "CREDENTIAL_HARVESTING")
  | extend 
      AlertRiskScore = case(
          SmishingAlertSeverity == "CRITICAL", 10,
          SmishingAlertSeverity == "HIGH", 8,
          SmishingAlertSeverity == "MEDIUM", 5,
          SmishingAlertSeverity == "LOW", 2,
          1
      ),
      ThreatCategory = case(
          SmishingAlertType == "PHISHING_DETECTION", "Phishing",
          SmishingAlertType == "FRAUD_DETECTION", "Fraud",
          SmishingAlertType == "CREDENTIAL_HARVESTING", "Credential Theft",
          SmishingAlertType == "MALICIOUS_LINK", "Malicious Link",
          "Other"
      ),
      ImpersonationRisk = case(
          SmishingAlertDescription has "CEO" or SmishingAlertDescription has "executive", "Executive Impersonation",
          SmishingAlertDescription has "IT" or SmishingAlertDescription has "support", "IT Support Impersonation", 
          SmishingAlertDescription has "bank" or SmishingAlertDescription has "financial", "Financial Impersonation",
          SmishingAlertDescription has "delivery" or SmishingAlertDescription has "package", "Delivery Impersonation",
          "Generic Phishing"
      )
  | extend DeviceRiskLevel = case(
      DeviceSecurityStatus == "THREATS_HIGH", "High",
      DeviceSecurityStatus == "THREATS_MEDIUM", "Medium", 
      DeviceSecurityStatus == "THREATS_LOW", "Low",
      "Unknown"
  )
  | extend CampaignIndicators = case(
      AlertRiskScore >= 8 and DeviceRiskLevel == "High", "Targeted Campaign",
      AlertRiskScore >= 6 and ImpersonationRisk != "Generic Phishing", "Sophisticated Attack",
      AlertRiskScore >= 5, "Coordinated Threat",
      "Isolated Incident"
  )
  | project
      TimeGenerated,
      EventId,
      SmishingAlertId,
      SmishingAlertType,
      SmishingAlertSeverity,
      SmishingAlertDescription,
      AlertRiskScore,
      ThreatCategory,
      ImpersonationRisk,
      CampaignIndicators,
      DeviceGuid,
      DevicePlatform,
      DeviceOSVersion,
      DeviceManufacturer,
      DeviceModel,
      DeviceEmailAddress,
      DeviceSecurityStatus,
      DeviceRiskLevel,
      TargetEmailAddress,
      TargetPlatform,
      ActorType,
      ActorGuid,
      ChangeType  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutSmishingAlertV2.yaml
kind: Scheduled
queryPeriod: 15m
version: 2.0.3
name: Lookout - Critical Smishing and Phishing Alerts (v2)
queryFrequency: 5m
triggerThreshold: 0
relevantTechniques:
- T1660
- T1417
- T1423
description: |
    'Detects critical smishing (SMS phishing) and phishing alerts from Lookout Mobile Risk API v2. This rule identifies sophisticated social engineering attacks including CEO fraud, credential harvesting, and malicious link campaigns targeting mobile devices. Leverages enhanced v2 smishing detection capabilities for comprehensive mobile threat protection.'
triggerOperator: gt

ARM