CYFIRMA - Brand Intelligence - Domain Impersonation Medium Rule
| Id | 8f97ddbe-ab66-4f6c-b675-73b5eeb07259 |
| Rulename | CYFIRMA - Brand Intelligence - Domain Impersonation Medium Rule |
| Description | “This analytics rule detects high-risk domain impersonation activity, where newly registered or existing domains closely resemble the legitimate brand name or organizational assets. These suspicious domains may use typosquatting, homoglyphs, or brand keywords to mislead users, steal credentials, or host phishing/malicious content. The domains are identified through CYFIRMA’s external threat intelligence feeds and flagged due to potential misuse in impersonation, fraud, or social engineering attacks targeting employees, customers, or partners. Early detection of these domains enables proactive mitigation measures such as domain takedown, DNS blocking, and awareness campaigns.” |
| Severity | Medium |
| Tactics | ResourceDevelopment InitialAccess CommandAndControl |
| Techniques | T1583.001 T1586.002 T1566.002 T1566.001 T1071.003 T1071.001 |
| Required data connectors | CyfirmaBrandIntelligenceAlertsDC |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Brand Intelligence/Analytic Rules/BIDomainImpersonationMediumRule.yaml |
| Version | 1.0.0 |
| Arm template | 8f97ddbe-ab66-4f6c-b675-73b5eeb07259.json |
// Medium severity Brand Intelligence - Domain Impersonation
let timeFrame = 5m;
CyfirmaBIDomainITAssetAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
Domain=domain,
DRDomain=dr_domain,
DRSubDomain=dr_sub_domain,
DomainSquat=signature,
HostProvider=host_provider,
RegisteredDate=registered_date,
CreatedDate=created_date,
ThreatActor=suspected_threat_actor,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT'
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
Domain,
DRDomain,
DRSubDomain,
DomainSquat,
HostProvider,
RegisteredDate,
CreatedDate,
ThreatActor,
ProductName,
ProviderName
tactics:
- ResourceDevelopment
- InitialAccess
- CommandAndControl
name: CYFIRMA - Brand Intelligence - Domain Impersonation Medium Rule
id: 8f97ddbe-ab66-4f6c-b675-73b5eeb07259
requiredDataConnectors:
- connectorId: CyfirmaBrandIntelligenceAlertsDC
dataTypes:
- CyfirmaBIDomainITAssetAlerts_CL
query: |
// Medium severity Brand Intelligence - Domain Impersonation
let timeFrame = 5m;
CyfirmaBIDomainITAssetAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
Domain=domain,
DRDomain=dr_domain,
DRSubDomain=dr_sub_domain,
DomainSquat=signature,
HostProvider=host_provider,
RegisteredDate=registered_date,
CreatedDate=created_date,
ThreatActor=suspected_threat_actor,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT'
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
Domain,
DRDomain,
DRSubDomain,
DomainSquat,
HostProvider,
RegisteredDate,
CreatedDate,
ThreatActor,
ProductName,
ProviderName
eventGroupingSettings:
aggregationKind: AlertPerResult
relevantTechniques:
- T1583.001
- T1586.002
- T1566.002
- T1566.001
- T1071.003
- T1071.001
incidentConfiguration:
createIncident: true
groupingConfiguration:
matchingMethod: AllEntities
reopenClosedIncident: false
lookbackDuration: 5h
enabled: false
description: |
"This analytics rule detects high-risk domain impersonation activity, where newly registered or existing domains closely resemble the legitimate brand name or organizational assets.
These suspicious domains may use typosquatting, homoglyphs, or brand keywords to mislead users, steal credentials, or host phishing/malicious content.
The domains are identified through CYFIRMA's external threat intelligence feeds and flagged due to potential misuse in impersonation, fraud, or social engineering attacks targeting employees, customers, or partners.
Early detection of these domains enables proactive mitigation measures such as domain takedown, DNS blocking, and awareness campaigns."
triggerOperator: gt
queryPeriod: 5m
severity: Medium
entityMappings:
- fieldMappings:
- identifier: DomainName
columnName: Domain
entityType: DNS
- fieldMappings:
- identifier: DomainName
columnName: DomainSquat
entityType: DNS
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Brand Intelligence/Analytic Rules/BIDomainImpersonationMediumRule.yaml
version: 1.0.0
alertDetailsOverride:
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: ProviderName
value: ProviderName
alertDisplayNameFormat: 'CYFIRMA - Medium Severity Alert - Malicious Domain Impersonation of Corporate Brand - Domain Squat: {{DomainSquat}} '
alertDescriptionFormat: '{{Description}} '
triggerThreshold: 0
queryFrequency: 5m
kind: Scheduled
status: Available
customDetails:
TimeGenerated: TimeGenerated
RegisteredDate: RegisteredDate
DRDomain: DRDomain
Description: Description
DRSubDomain: DRSubDomain
AlertUID: AlertUID
UID: UID
HostProvider: HostProvider
LastSeen: LastSeen
Domain: Domain
DomainSquat: DomainSquat
RiskScore: RiskScore
ThreatActor: ThreatActor
CreatedDate: CreatedDate
FirstSeen: FirstSeen
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8f97ddbe-ab66-4f6c-b675-73b5eeb07259')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8f97ddbe-ab66-4f6c-b675-73b5eeb07259')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{Description}} ",
"alertDisplayNameFormat": "CYFIRMA - Medium Severity Alert - Malicious Domain Impersonation of Corporate Brand - Domain Squat: {{DomainSquat}} ",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "8f97ddbe-ab66-4f6c-b675-73b5eeb07259",
"customDetails": {
"AlertUID": "AlertUID",
"CreatedDate": "CreatedDate",
"Description": "Description",
"Domain": "Domain",
"DomainSquat": "DomainSquat",
"DRDomain": "DRDomain",
"DRSubDomain": "DRSubDomain",
"FirstSeen": "FirstSeen",
"HostProvider": "HostProvider",
"LastSeen": "LastSeen",
"RegisteredDate": "RegisteredDate",
"RiskScore": "RiskScore",
"ThreatActor": "ThreatActor",
"TimeGenerated": "TimeGenerated",
"UID": "UID"
},
"description": "\"This analytics rule detects high-risk domain impersonation activity, where newly registered or existing domains closely resemble the legitimate brand name or organizational assets. \nThese suspicious domains may use typosquatting, homoglyphs, or brand keywords to mislead users, steal credentials, or host phishing/malicious content. \nThe domains are identified through CYFIRMA's external threat intelligence feeds and flagged due to potential misuse in impersonation, fraud, or social engineering attacks targeting employees, customers, or partners. \nEarly detection of these domains enables proactive mitigation measures such as domain takedown, DNS blocking, and awareness campaigns.\"\n",
"displayName": "CYFIRMA - Brand Intelligence - Domain Impersonation Medium Rule",
"enabled": true,
"entityMappings": [
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "Domain",
"identifier": "DomainName"
}
]
},
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "DomainSquat",
"identifier": "DomainName"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Brand Intelligence/Analytic Rules/BIDomainImpersonationMediumRule.yaml",
"query": "// Medium severity Brand Intelligence - Domain Impersonation\nlet timeFrame = 5m;\nCyfirmaBIDomainITAssetAlerts_CL\n| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())\n| extend\n Description=description,\n FirstSeen=first_seen,\n LastSeen=last_seen,\n RiskScore=risk_score,\n AlertUID=alert_uid,\n UID=uid,\n Domain=domain,\n DRDomain=dr_domain,\n DRSubDomain=dr_sub_domain,\n DomainSquat=signature,\n HostProvider=host_provider,\n RegisteredDate=registered_date,\n CreatedDate=created_date,\n ThreatActor=suspected_threat_actor,\n ProviderName='CYFIRMA',\n ProductName='DeCYFIR/DeTCT'\n| project\n TimeGenerated,\n Description,\n RiskScore,\n FirstSeen,\n LastSeen,\n AlertUID,\n UID,\n Domain,\n DRDomain,\n DRSubDomain,\n DomainSquat,\n HostProvider,\n RegisteredDate,\n CreatedDate,\n ThreatActor,\n ProductName,\n ProviderName\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"status": "Available",
"subTechniques": [
"T1583.001",
"T1586.002",
"T1566.002",
"T1566.001",
"T1071.003",
"T1071.001"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl",
"InitialAccess",
"ResourceDevelopment"
],
"techniques": [
"T1071",
"T1566",
"T1583",
"T1586"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}