Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CYFIRMA - Brand Intelligence - Domain Impersonation Medium Rule

Back
Id8f97ddbe-ab66-4f6c-b675-73b5eeb07259
RulenameCYFIRMA - Brand Intelligence - Domain Impersonation Medium Rule
Description“This analytics rule detects high-risk domain impersonation activity, where newly registered or existing domains closely resemble the legitimate brand name or organizational assets.

These suspicious domains may use typosquatting, homoglyphs, or brand keywords to mislead users, steal credentials, or host phishing/malicious content.

The domains are identified through CYFIRMA’s external threat intelligence feeds and flagged due to potential misuse in impersonation, fraud, or social engineering attacks targeting employees, customers, or partners.

Early detection of these domains enables proactive mitigation measures such as domain takedown, DNS blocking, and awareness campaigns.”
SeverityMedium
TacticsResourceDevelopment
InitialAccess
CommandAndControl
TechniquesT1583.001
T1586.002
T1566.002
T1566.001
T1071.003
T1071.001
Required data connectorsCyfirmaBrandIntelligenceAlertsDC
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Brand Intelligence/Analytic Rules/BIDomainImpersonationMediumRule.yaml
Version1.0.0
Arm template8f97ddbe-ab66-4f6c-b675-73b5eeb07259.json
Deploy To Azure
// Medium severity Brand Intelligence - Domain Impersonation
let timeFrame = 5m;
CyfirmaBIDomainITAssetAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    Domain=domain,
    DRDomain=dr_domain,
    DRSubDomain=dr_sub_domain,
    DomainSquat=signature,
    HostProvider=host_provider,
    RegisteredDate=registered_date,
    CreatedDate=created_date,
    ThreatActor=suspected_threat_actor,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT'
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    Domain,
    DRDomain,
    DRSubDomain,
    DomainSquat,
    HostProvider,
    RegisteredDate,
    CreatedDate,
    ThreatActor,
    ProductName,
    ProviderName
tactics:
- ResourceDevelopment
- InitialAccess
- CommandAndControl
name: CYFIRMA - Brand Intelligence - Domain Impersonation Medium Rule
id: 8f97ddbe-ab66-4f6c-b675-73b5eeb07259
requiredDataConnectors:
- connectorId: CyfirmaBrandIntelligenceAlertsDC
  dataTypes:
  - CyfirmaBIDomainITAssetAlerts_CL
query: |
  // Medium severity Brand Intelligence - Domain Impersonation
  let timeFrame = 5m;
  CyfirmaBIDomainITAssetAlerts_CL
  | where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      Domain=domain,
      DRDomain=dr_domain,
      DRSubDomain=dr_sub_domain,
      DomainSquat=signature,
      HostProvider=host_provider,
      RegisteredDate=registered_date,
      CreatedDate=created_date,
      ThreatActor=suspected_threat_actor,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT'
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      Domain,
      DRDomain,
      DRSubDomain,
      DomainSquat,
      HostProvider,
      RegisteredDate,
      CreatedDate,
      ThreatActor,
      ProductName,
      ProviderName  
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1583.001
- T1586.002
- T1566.002
- T1566.001
- T1071.003
- T1071.001
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    reopenClosedIncident: false
    lookbackDuration: 5h
    enabled: false
description: |
  "This analytics rule detects high-risk domain impersonation activity, where newly registered or existing domains closely resemble the legitimate brand name or organizational assets. 
  These suspicious domains may use typosquatting, homoglyphs, or brand keywords to mislead users, steal credentials, or host phishing/malicious content. 
  The domains are identified through CYFIRMA's external threat intelligence feeds and flagged due to potential misuse in impersonation, fraud, or social engineering attacks targeting employees, customers, or partners. 
  Early detection of these domains enables proactive mitigation measures such as domain takedown, DNS blocking, and awareness campaigns."  
triggerOperator: gt
queryPeriod: 5m
severity: Medium
entityMappings:
- fieldMappings:
  - identifier: DomainName
    columnName: Domain
  entityType: DNS
- fieldMappings:
  - identifier: DomainName
    columnName: DomainSquat
  entityType: DNS
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Brand Intelligence/Analytic Rules/BIDomainImpersonationMediumRule.yaml
version: 1.0.0
alertDetailsOverride:
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
  alertDisplayNameFormat: 'CYFIRMA - Medium Severity Alert - Malicious Domain Impersonation of Corporate Brand - Domain Squat: {{DomainSquat}} '
  alertDescriptionFormat: '{{Description}} '
triggerThreshold: 0
queryFrequency: 5m
kind: Scheduled
status: Available
customDetails:
  TimeGenerated: TimeGenerated
  RegisteredDate: RegisteredDate
  DRDomain: DRDomain
  Description: Description
  DRSubDomain: DRSubDomain
  AlertUID: AlertUID
  UID: UID
  HostProvider: HostProvider
  LastSeen: LastSeen
  Domain: Domain
  DomainSquat: DomainSquat
  RiskScore: RiskScore
  ThreatActor: ThreatActor
  CreatedDate: CreatedDate
  FirstSeen: FirstSeen
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8f97ddbe-ab66-4f6c-b675-73b5eeb07259')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8f97ddbe-ab66-4f6c-b675-73b5eeb07259')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{Description}} ",
          "alertDisplayNameFormat": "CYFIRMA - Medium Severity Alert - Malicious Domain Impersonation of Corporate Brand - Domain Squat: {{DomainSquat}} ",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            },
            {
              "alertProperty": "ProviderName",
              "value": "ProviderName"
            }
          ]
        },
        "alertRuleTemplateName": "8f97ddbe-ab66-4f6c-b675-73b5eeb07259",
        "customDetails": {
          "AlertUID": "AlertUID",
          "CreatedDate": "CreatedDate",
          "Description": "Description",
          "Domain": "Domain",
          "DomainSquat": "DomainSquat",
          "DRDomain": "DRDomain",
          "DRSubDomain": "DRSubDomain",
          "FirstSeen": "FirstSeen",
          "HostProvider": "HostProvider",
          "LastSeen": "LastSeen",
          "RegisteredDate": "RegisteredDate",
          "RiskScore": "RiskScore",
          "ThreatActor": "ThreatActor",
          "TimeGenerated": "TimeGenerated",
          "UID": "UID"
        },
        "description": "\"This analytics rule detects high-risk domain impersonation activity, where newly registered or existing domains closely resemble the legitimate brand name or organizational assets. \nThese suspicious domains may use typosquatting, homoglyphs, or brand keywords to mislead users, steal credentials, or host phishing/malicious content. \nThe domains are identified through CYFIRMA's external threat intelligence feeds and flagged due to potential misuse in impersonation, fraud, or social engineering attacks targeting employees, customers, or partners. \nEarly detection of these domains enables proactive mitigation measures such as domain takedown, DNS blocking, and awareness campaigns.\"\n",
        "displayName": "CYFIRMA - Brand Intelligence - Domain Impersonation Medium Rule",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "DNS",
            "fieldMappings": [
              {
                "columnName": "Domain",
                "identifier": "DomainName"
              }
            ]
          },
          {
            "entityType": "DNS",
            "fieldMappings": [
              {
                "columnName": "DomainSquat",
                "identifier": "DomainName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Brand Intelligence/Analytic Rules/BIDomainImpersonationMediumRule.yaml",
        "query": "// Medium severity Brand Intelligence - Domain Impersonation\nlet timeFrame = 5m;\nCyfirmaBIDomainITAssetAlerts_CL\n| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())\n| extend\n    Description=description,\n    FirstSeen=first_seen,\n    LastSeen=last_seen,\n    RiskScore=risk_score,\n    AlertUID=alert_uid,\n    UID=uid,\n    Domain=domain,\n    DRDomain=dr_domain,\n    DRSubDomain=dr_sub_domain,\n    DomainSquat=signature,\n    HostProvider=host_provider,\n    RegisteredDate=registered_date,\n    CreatedDate=created_date,\n    ThreatActor=suspected_threat_actor,\n    ProviderName='CYFIRMA',\n    ProductName='DeCYFIR/DeTCT'\n| project\n    TimeGenerated,\n    Description,\n    RiskScore,\n    FirstSeen,\n    LastSeen,\n    AlertUID,\n    UID,\n    Domain,\n    DRDomain,\n    DRSubDomain,\n    DomainSquat,\n    HostProvider,\n    RegisteredDate,\n    CreatedDate,\n    ThreatActor,\n    ProductName,\n    ProviderName\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [
          "T1583.001",
          "T1586.002",
          "T1566.002",
          "T1566.001",
          "T1071.003",
          "T1071.001"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl",
          "InitialAccess",
          "ResourceDevelopment"
        ],
        "techniques": [
          "T1071",
          "T1566",
          "T1583",
          "T1586"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}