CYFIRMA - Brand Intelligence - Domain Impersonation Medium Rule
| Id | 8f97ddbe-ab66-4f6c-b675-73b5eeb07259 |
| Rulename | CYFIRMA - Brand Intelligence - Domain Impersonation Medium Rule |
| Description | “This analytics rule detects high-risk domain impersonation activity, where newly registered or existing domains closely resemble the legitimate brand name or organizational assets. These suspicious domains may use typosquatting, homoglyphs, or brand keywords to mislead users, steal credentials, or host phishing/malicious content. The domains are identified through CYFIRMA’s external threat intelligence feeds and flagged due to potential misuse in impersonation, fraud, or social engineering attacks targeting employees, customers, or partners. Early detection of these domains enables proactive mitigation measures such as domain takedown, DNS blocking, and awareness campaigns.” |
| Severity | Medium |
| Tactics | ResourceDevelopment InitialAccess CommandAndControl |
| Techniques | T1583.001 T1586.002 T1566.002 T1566.001 T1071.003 T1071.001 |
| Required data connectors | CyfirmaBrandIntelligenceAlertsDC |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Brand Intelligence/Analytic Rules/BIDomainImpersonationMediumRule.yaml |
| Version | 1.0.1 |
| Arm template | 8f97ddbe-ab66-4f6c-b675-73b5eeb07259.json |
// Medium severity Brand Intelligence - Domain Impersonation
let timeFrame = 5m;
CyfirmaBIDomainITAssetAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
Domain=domain,
DRDomain=dr_domain,
DRSubDomain=dr_sub_domain,
DomainSquat=signature,
HostProvider=host_provider,
RegisteredDate=registered_date,
CreatedDate=created_date,
ThreatActor=suspected_threat_actor,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT'
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
Domain,
DRDomain,
DRSubDomain,
DomainSquat,
HostProvider,
RegisteredDate,
CreatedDate,
ThreatActor,
ProductName,
ProviderName
name: CYFIRMA - Brand Intelligence - Domain Impersonation Medium Rule
eventGroupingSettings:
aggregationKind: AlertPerResult
alertDetailsOverride:
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: ProviderName
value: ProviderName
alertDisplayNameFormat: 'CYFIRMA - Medium Severity Alert - Malicious Domain Impersonation of Corporate Brand - Domain Squat: {{DomainSquat}} '
alertDescriptionFormat: '{{Description}} '
id: 8f97ddbe-ab66-4f6c-b675-73b5eeb07259
requiredDataConnectors:
- connectorId: CyfirmaBrandIntelligenceAlertsDC
dataTypes:
- CyfirmaBIDomainITAssetAlerts_CL
severity: Medium
triggerThreshold: 0
version: 1.0.1
description: |
"This analytics rule detects high-risk domain impersonation activity, where newly registered or existing domains closely resemble the legitimate brand name or organizational assets.
These suspicious domains may use typosquatting, homoglyphs, or brand keywords to mislead users, steal credentials, or host phishing/malicious content.
The domains are identified through CYFIRMA's external threat intelligence feeds and flagged due to potential misuse in impersonation, fraud, or social engineering attacks targeting employees, customers, or partners.
Early detection of these domains enables proactive mitigation measures such as domain takedown, DNS blocking, and awareness campaigns."
relevantTechniques:
- T1583.001
- T1586.002
- T1566.002
- T1566.001
- T1071.003
- T1071.001
kind: Scheduled
queryPeriod: 5m
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: false
reopenClosedIncident: false
matchingMethod: AllEntities
lookbackDuration: PT5H
tactics:
- ResourceDevelopment
- InitialAccess
- CommandAndControl
customDetails:
AlertUID: AlertUID
LastSeen: LastSeen
CreatedDate: CreatedDate
DRDomain: DRDomain
UID: UID
DRSubDomain: DRSubDomain
Domain: Domain
ThreatActor: ThreatActor
Description: Description
FirstSeen: FirstSeen
RegisteredDate: RegisteredDate
RiskScore: RiskScore
DomainSquat: DomainSquat
TimeGenerated: TimeGenerated
HostProvider: HostProvider
queryFrequency: 5m
entityMappings:
- fieldMappings:
- identifier: DomainName
columnName: Domain
entityType: DNS
- fieldMappings:
- identifier: DomainName
columnName: DomainSquat
entityType: DNS
status: Available
triggerOperator: gt
query: |
// Medium severity Brand Intelligence - Domain Impersonation
let timeFrame = 5m;
CyfirmaBIDomainITAssetAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
Domain=domain,
DRDomain=dr_domain,
DRSubDomain=dr_sub_domain,
DomainSquat=signature,
HostProvider=host_provider,
RegisteredDate=registered_date,
CreatedDate=created_date,
ThreatActor=suspected_threat_actor,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT'
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
Domain,
DRDomain,
DRSubDomain,
DomainSquat,
HostProvider,
RegisteredDate,
CreatedDate,
ThreatActor,
ProductName,
ProviderName
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Brand Intelligence/Analytic Rules/BIDomainImpersonationMediumRule.yaml
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8f97ddbe-ab66-4f6c-b675-73b5eeb07259')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8f97ddbe-ab66-4f6c-b675-73b5eeb07259')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{Description}} ",
"alertDisplayNameFormat": "CYFIRMA - Medium Severity Alert - Malicious Domain Impersonation of Corporate Brand - Domain Squat: {{DomainSquat}} ",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "8f97ddbe-ab66-4f6c-b675-73b5eeb07259",
"customDetails": {
"AlertUID": "AlertUID",
"CreatedDate": "CreatedDate",
"Description": "Description",
"Domain": "Domain",
"DomainSquat": "DomainSquat",
"DRDomain": "DRDomain",
"DRSubDomain": "DRSubDomain",
"FirstSeen": "FirstSeen",
"HostProvider": "HostProvider",
"LastSeen": "LastSeen",
"RegisteredDate": "RegisteredDate",
"RiskScore": "RiskScore",
"ThreatActor": "ThreatActor",
"TimeGenerated": "TimeGenerated",
"UID": "UID"
},
"description": "\"This analytics rule detects high-risk domain impersonation activity, where newly registered or existing domains closely resemble the legitimate brand name or organizational assets. \nThese suspicious domains may use typosquatting, homoglyphs, or brand keywords to mislead users, steal credentials, or host phishing/malicious content. \nThe domains are identified through CYFIRMA's external threat intelligence feeds and flagged due to potential misuse in impersonation, fraud, or social engineering attacks targeting employees, customers, or partners. \nEarly detection of these domains enables proactive mitigation measures such as domain takedown, DNS blocking, and awareness campaigns.\"\n",
"displayName": "CYFIRMA - Brand Intelligence - Domain Impersonation Medium Rule",
"enabled": true,
"entityMappings": [
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "Domain",
"identifier": "DomainName"
}
]
},
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "DomainSquat",
"identifier": "DomainName"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Brand Intelligence/Analytic Rules/BIDomainImpersonationMediumRule.yaml",
"query": "// Medium severity Brand Intelligence - Domain Impersonation\nlet timeFrame = 5m;\nCyfirmaBIDomainITAssetAlerts_CL\n| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())\n| extend\n Description=description,\n FirstSeen=first_seen,\n LastSeen=last_seen,\n RiskScore=risk_score,\n AlertUID=alert_uid,\n UID=uid,\n Domain=domain,\n DRDomain=dr_domain,\n DRSubDomain=dr_sub_domain,\n DomainSquat=signature,\n HostProvider=host_provider,\n RegisteredDate=registered_date,\n CreatedDate=created_date,\n ThreatActor=suspected_threat_actor,\n ProviderName='CYFIRMA',\n ProductName='DeCYFIR/DeTCT'\n| project\n TimeGenerated,\n Description,\n RiskScore,\n FirstSeen,\n LastSeen,\n AlertUID,\n UID,\n Domain,\n DRDomain,\n DRSubDomain,\n DomainSquat,\n HostProvider,\n RegisteredDate,\n CreatedDate,\n ThreatActor,\n ProductName,\n ProviderName\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"status": "Available",
"subTechniques": [
"T1583.001",
"T1586.002",
"T1566.002",
"T1566.001",
"T1071.003",
"T1071.001"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"InitialAccess",
"ResourceDevelopment"
],
"techniques": [
"T1071",
"T1566",
"T1583",
"T1586"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}