Lookout - Critical Smishing and Phishing Alerts v2

Back


Id	7a3e5f9b-4c8d-4a2e-9f1b-6d8e2a4c7f9e
Rulename	Lookout - Critical Smishing and Phishing Alerts (v2)
Description	Detects critical smishing (SMS phishing) and phishing alerts from Lookout Mobile Risk API v2. This rule identifies sophisticated social engineering attacks including CEO fraud, credential harvesting, and malicious link campaigns targeting mobile devices. Leverages enhanced v2 smishing detection capabilities for comprehensive mobile threat protection.
Severity	High
Tactics	InitialAccess CredentialAccess Collection Discovery
Techniques	T1660 T1417 T1423
Required data connectors	LookoutAPI
Kind	Scheduled
Query frequency	5m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutSmishingAlertV2.yaml
Version	2.0.3
Arm template	7a3e5f9b-4c8d-4a2e-9f1b-6d8e2a4c7f9e.json

KQL

LookoutEvents
| where EventType == "SMISHING_ALERT"
| where SmishingAlertSeverity in ("CRITICAL", "HIGH")
| where SmishingAlertType in ("PHISHING_DETECTION", "FRAUD_DETECTION", "CREDENTIAL_HARVESTING")
| extend 
    AlertRiskScore = case(
        SmishingAlertSeverity == "CRITICAL", 10,
        SmishingAlertSeverity == "HIGH", 8,
        SmishingAlertSeverity == "MEDIUM", 5,
        SmishingAlertSeverity == "LOW", 2,
        1
    ),
    ThreatCategory = case(
        SmishingAlertType == "PHISHING_DETECTION", "Phishing",
        SmishingAlertType == "FRAUD_DETECTION", "Fraud",
        SmishingAlertType == "CREDENTIAL_HARVESTING", "Credential Theft",
        SmishingAlertType == "MALICIOUS_LINK", "Malicious Link",
        "Other"
    ),
    ImpersonationRisk = case(
        SmishingAlertDescription has "CEO" or SmishingAlertDescription has "executive", "Executive Impersonation",
        SmishingAlertDescription has "IT" or SmishingAlertDescription has "support", "IT Support Impersonation", 
        SmishingAlertDescription has "bank" or SmishingAlertDescription has "financial", "Financial Impersonation",
        SmishingAlertDescription has "delivery" or SmishingAlertDescription has "package", "Delivery Impersonation",
        "Generic Phishing"
    )
| extend DeviceRiskLevel = case(
    DeviceSecurityStatus == "THREATS_HIGH", "High",
    DeviceSecurityStatus == "THREATS_MEDIUM", "Medium", 
    DeviceSecurityStatus == "THREATS_LOW", "Low",
    "Unknown"
)
| extend CampaignIndicators = case(
    AlertRiskScore >= 8 and DeviceRiskLevel == "High", "Targeted Campaign",
    AlertRiskScore >= 6 and ImpersonationRisk != "Generic Phishing", "Sophisticated Attack",
    AlertRiskScore >= 5, "Coordinated Threat",
    "Isolated Incident"
)
| project
    TimeGenerated,
    EventId,
    SmishingAlertId,
    SmishingAlertType,
    SmishingAlertSeverity,
    SmishingAlertDescription,
    AlertRiskScore,
    ThreatCategory,
    ImpersonationRisk,
    CampaignIndicators,
    DeviceGuid,
    DevicePlatform,
    DeviceOSVersion,
    DeviceManufacturer,
    DeviceModel,
    DeviceEmailAddress,
    DeviceSecurityStatus,
    DeviceRiskLevel,
    TargetEmailAddress,
    TargetPlatform,
    ActorType,
    ActorGuid,
    ChangeType

YAML

relevantTechniques:
- T1660
- T1417
- T1423
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: DeviceEmailAddress
    identifier: FullName
  - columnName: TargetEmailAddress
    identifier: Name
- entityType: Host
  fieldMappings:
  - columnName: DeviceGuid
    identifier: HostName
  - columnName: DevicePlatform
    identifier: OSFamily
  - columnName: DeviceOSVersion
    identifier: OSVersion
- entityType: URL
  fieldMappings:
  - columnName: SmishingAlertDescription
    identifier: Url
eventGroupingSettings:
  aggregationKind: AlertPerResult
version: 2.0.3
suppressionDuration: PT1H
id: 7a3e5f9b-4c8d-4a2e-9f1b-6d8e2a4c7f9e
suppressionEnabled: false
severity: High
kind: Scheduled
queryFrequency: 5m
description: |
    'Detects critical smishing (SMS phishing) and phishing alerts from Lookout Mobile Risk API v2. This rule identifies sophisticated social engineering attacks including CEO fraud, credential harvesting, and malicious link campaigns targeting mobile devices. Leverages enhanced v2 smishing detection capabilities for comprehensive mobile threat protection.'
requiredDataConnectors:
- connectorId: LookoutAPI
  dataTypes:
  - LookoutEvents
triggerOperator: gt
name: Lookout - Critical Smishing and Phishing Alerts (v2)
tactics:
- InitialAccess
- CredentialAccess
- Collection
- Discovery
alertDetailsOverride:
  alertDescriptionFormat: '{{SmishingAlertSeverity}} {{ThreatCategory}} attack on {{DevicePlatform}}'
  alertTacticsColumnName: ThreatCategory
  alertSeverityColumnName: SmishingAlertSeverity
  alertDisplayNameFormat: 'Critical Smishing Alert: {{ThreatCategory}} targeting {{DevicePlatform}} Device'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutSmishingAlertV2.yaml
triggerThreshold: 0
queryPeriod: 15m
query: |
  LookoutEvents
  | where EventType == "SMISHING_ALERT"
  | where SmishingAlertSeverity in ("CRITICAL", "HIGH")
  | where SmishingAlertType in ("PHISHING_DETECTION", "FRAUD_DETECTION", "CREDENTIAL_HARVESTING")
  | extend 
      AlertRiskScore = case(
          SmishingAlertSeverity == "CRITICAL", 10,
          SmishingAlertSeverity == "HIGH", 8,
          SmishingAlertSeverity == "MEDIUM", 5,
          SmishingAlertSeverity == "LOW", 2,
          1
      ),
      ThreatCategory = case(
          SmishingAlertType == "PHISHING_DETECTION", "Phishing",
          SmishingAlertType == "FRAUD_DETECTION", "Fraud",
          SmishingAlertType == "CREDENTIAL_HARVESTING", "Credential Theft",
          SmishingAlertType == "MALICIOUS_LINK", "Malicious Link",
          "Other"
      ),
      ImpersonationRisk = case(
          SmishingAlertDescription has "CEO" or SmishingAlertDescription has "executive", "Executive Impersonation",
          SmishingAlertDescription has "IT" or SmishingAlertDescription has "support", "IT Support Impersonation", 
          SmishingAlertDescription has "bank" or SmishingAlertDescription has "financial", "Financial Impersonation",
          SmishingAlertDescription has "delivery" or SmishingAlertDescription has "package", "Delivery Impersonation",
          "Generic Phishing"
      )
  | extend DeviceRiskLevel = case(
      DeviceSecurityStatus == "THREATS_HIGH", "High",
      DeviceSecurityStatus == "THREATS_MEDIUM", "Medium", 
      DeviceSecurityStatus == "THREATS_LOW", "Low",
      "Unknown"
  )
  | extend CampaignIndicators = case(
      AlertRiskScore >= 8 and DeviceRiskLevel == "High", "Targeted Campaign",
      AlertRiskScore >= 6 and ImpersonationRisk != "Generic Phishing", "Sophisticated Attack",
      AlertRiskScore >= 5, "Coordinated Threat",
      "Isolated Incident"
  )
  | project
      TimeGenerated,
      EventId,
      SmishingAlertId,
      SmishingAlertType,
      SmishingAlertSeverity,
      SmishingAlertDescription,
      AlertRiskScore,
      ThreatCategory,
      ImpersonationRisk,
      CampaignIndicators,
      DeviceGuid,
      DevicePlatform,
      DeviceOSVersion,
      DeviceManufacturer,
      DeviceModel,
      DeviceEmailAddress,
      DeviceSecurityStatus,
      DeviceRiskLevel,
      TargetEmailAddress,
      TargetPlatform,
      ActorType,
      ActorGuid,
      ChangeType  
status: Available
customDetails:
  ImpersonationRisk: ImpersonationRisk
  SmishSeverity: SmishingAlertSeverity
  DeviceRiskLevel: DeviceRiskLevel
  DeviceSecStatus: DeviceSecurityStatus
  AlertRiskScore: AlertRiskScore
  CampaignIndicators: CampaignIndicators
  DevicePlatform: DevicePlatform
  ThreatCategory: ThreatCategory
  SmishAlertType: SmishingAlertType
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: Selected
    groupByEntities:
    - Account
    - Host
    groupByCustomDetails:
    - ThreatCategory
    - ImpersonationRisk
    - CampaignIndicators
    groupByAlertDetails:
    - SmishAlertType
    - DeviceGuid
    reopenClosedIncident: false
    enabled: true
    lookbackDuration: P1D

ARM