CYFIRMA - Brand Intelligence - Domain Impersonation Medium Rule
| Id | 8f97ddbe-ab66-4f6c-b675-73b5eeb07259 |
| Rulename | CYFIRMA - Brand Intelligence - Domain Impersonation Medium Rule |
| Description | “This analytics rule detects high-risk domain impersonation activity, where newly registered or existing domains closely resemble the legitimate brand name or organizational assets. These suspicious domains may use typosquatting, homoglyphs, or brand keywords to mislead users, steal credentials, or host phishing/malicious content. The domains are identified through CYFIRMA’s external threat intelligence feeds and flagged due to potential misuse in impersonation, fraud, or social engineering attacks targeting employees, customers, or partners. Early detection of these domains enables proactive mitigation measures such as domain takedown, DNS blocking, and awareness campaigns.” |
| Severity | Medium |
| Tactics | ResourceDevelopment InitialAccess CommandAndControl |
| Techniques | T1583.001 T1586.002 T1566.002 T1566.001 T1071.003 T1071.001 |
| Required data connectors | CyfirmaBrandIntelligenceAlertsDC |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Brand Intelligence/Analytic Rules/BIDomainImpersonationMediumRule.yaml |
| Version | 1.0.1 |
| Arm template | 8f97ddbe-ab66-4f6c-b675-73b5eeb07259.json |
// Medium severity Brand Intelligence - Domain Impersonation
let timeFrame = 5m;
CyfirmaBIDomainITAssetAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
Domain=domain,
DRDomain=dr_domain,
DRSubDomain=dr_sub_domain,
DomainSquat=signature,
HostProvider=host_provider,
RegisteredDate=registered_date,
CreatedDate=created_date,
ThreatActor=suspected_threat_actor,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT'
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
Domain,
DRDomain,
DRSubDomain,
DomainSquat,
HostProvider,
RegisteredDate,
CreatedDate,
ThreatActor,
ProductName,
ProviderName
kind: Scheduled
customDetails:
DRSubDomain: DRSubDomain
ThreatActor: ThreatActor
AlertUID: AlertUID
LastSeen: LastSeen
Description: Description
TimeGenerated: TimeGenerated
FirstSeen: FirstSeen
RiskScore: RiskScore
CreatedDate: CreatedDate
DRDomain: DRDomain
DomainSquat: DomainSquat
RegisteredDate: RegisteredDate
HostProvider: HostProvider
Domain: Domain
UID: UID
alertDetailsOverride:
alertDisplayNameFormat: 'CYFIRMA - Medium Severity Alert - Malicious Domain Impersonation of Corporate Brand - Domain Squat: {{DomainSquat}} '
alertDescriptionFormat: '{{Description}} '
alertDynamicProperties:
- value: ProductName
alertProperty: ProductName
- value: ProviderName
alertProperty: ProviderName
entityMappings:
- entityType: DNS
fieldMappings:
- columnName: Domain
identifier: DomainName
- entityType: DNS
fieldMappings:
- columnName: DomainSquat
identifier: DomainName
description: |
"This analytics rule detects high-risk domain impersonation activity, where newly registered or existing domains closely resemble the legitimate brand name or organizational assets.
These suspicious domains may use typosquatting, homoglyphs, or brand keywords to mislead users, steal credentials, or host phishing/malicious content.
The domains are identified through CYFIRMA's external threat intelligence feeds and flagged due to potential misuse in impersonation, fraud, or social engineering attacks targeting employees, customers, or partners.
Early detection of these domains enables proactive mitigation measures such as domain takedown, DNS blocking, and awareness campaigns."
severity: Medium
queryFrequency: 5m
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
matchingMethod: AllEntities
lookbackDuration: PT5H
enabled: false
createIncident: true
triggerThreshold: 0
relevantTechniques:
- T1583.001
- T1586.002
- T1566.002
- T1566.001
- T1071.003
- T1071.001
eventGroupingSettings:
aggregationKind: AlertPerResult
status: Available
version: 1.0.1
name: CYFIRMA - Brand Intelligence - Domain Impersonation Medium Rule
id: 8f97ddbe-ab66-4f6c-b675-73b5eeb07259
query: |
// Medium severity Brand Intelligence - Domain Impersonation
let timeFrame = 5m;
CyfirmaBIDomainITAssetAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
Domain=domain,
DRDomain=dr_domain,
DRSubDomain=dr_sub_domain,
DomainSquat=signature,
HostProvider=host_provider,
RegisteredDate=registered_date,
CreatedDate=created_date,
ThreatActor=suspected_threat_actor,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT'
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
Domain,
DRDomain,
DRSubDomain,
DomainSquat,
HostProvider,
RegisteredDate,
CreatedDate,
ThreatActor,
ProductName,
ProviderName
requiredDataConnectors:
- dataTypes:
- CyfirmaBIDomainITAssetAlerts_CL
connectorId: CyfirmaBrandIntelligenceAlertsDC
tactics:
- ResourceDevelopment
- InitialAccess
- CommandAndControl
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Brand Intelligence/Analytic Rules/BIDomainImpersonationMediumRule.yaml
queryPeriod: 5m
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8f97ddbe-ab66-4f6c-b675-73b5eeb07259')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8f97ddbe-ab66-4f6c-b675-73b5eeb07259')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{Description}} ",
"alertDisplayNameFormat": "CYFIRMA - Medium Severity Alert - Malicious Domain Impersonation of Corporate Brand - Domain Squat: {{DomainSquat}} ",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "8f97ddbe-ab66-4f6c-b675-73b5eeb07259",
"customDetails": {
"AlertUID": "AlertUID",
"CreatedDate": "CreatedDate",
"Description": "Description",
"Domain": "Domain",
"DomainSquat": "DomainSquat",
"DRDomain": "DRDomain",
"DRSubDomain": "DRSubDomain",
"FirstSeen": "FirstSeen",
"HostProvider": "HostProvider",
"LastSeen": "LastSeen",
"RegisteredDate": "RegisteredDate",
"RiskScore": "RiskScore",
"ThreatActor": "ThreatActor",
"TimeGenerated": "TimeGenerated",
"UID": "UID"
},
"description": "\"This analytics rule detects high-risk domain impersonation activity, where newly registered or existing domains closely resemble the legitimate brand name or organizational assets. \nThese suspicious domains may use typosquatting, homoglyphs, or brand keywords to mislead users, steal credentials, or host phishing/malicious content. \nThe domains are identified through CYFIRMA's external threat intelligence feeds and flagged due to potential misuse in impersonation, fraud, or social engineering attacks targeting employees, customers, or partners. \nEarly detection of these domains enables proactive mitigation measures such as domain takedown, DNS blocking, and awareness campaigns.\"\n",
"displayName": "CYFIRMA - Brand Intelligence - Domain Impersonation Medium Rule",
"enabled": true,
"entityMappings": [
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "Domain",
"identifier": "DomainName"
}
]
},
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "DomainSquat",
"identifier": "DomainName"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Brand Intelligence/Analytic Rules/BIDomainImpersonationMediumRule.yaml",
"query": "// Medium severity Brand Intelligence - Domain Impersonation\nlet timeFrame = 5m;\nCyfirmaBIDomainITAssetAlerts_CL\n| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())\n| extend\n Description=description,\n FirstSeen=first_seen,\n LastSeen=last_seen,\n RiskScore=risk_score,\n AlertUID=alert_uid,\n UID=uid,\n Domain=domain,\n DRDomain=dr_domain,\n DRSubDomain=dr_sub_domain,\n DomainSquat=signature,\n HostProvider=host_provider,\n RegisteredDate=registered_date,\n CreatedDate=created_date,\n ThreatActor=suspected_threat_actor,\n ProviderName='CYFIRMA',\n ProductName='DeCYFIR/DeTCT'\n| project\n TimeGenerated,\n Description,\n RiskScore,\n FirstSeen,\n LastSeen,\n AlertUID,\n UID,\n Domain,\n DRDomain,\n DRSubDomain,\n DomainSquat,\n HostProvider,\n RegisteredDate,\n CreatedDate,\n ThreatActor,\n ProductName,\n ProviderName\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"status": "Available",
"subTechniques": [
"T1583.001",
"T1586.002",
"T1566.002",
"T1566.001",
"T1071.003",
"T1071.001"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"InitialAccess",
"ResourceDevelopment"
],
"techniques": [
"T1071",
"T1566",
"T1583",
"T1586"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}