CYFIRMA - Brand Intelligence - Malicious Mobile App Medium Rule

// Medium severity - Malicious Mobile App Impersonation
let timeFrame = 5m;
CyfirmaBIMaliciousMobileAppsAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=asset_value,
    Impact=impact,
    Recommendation=recommendation,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT'
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Impact,
    Recommendation,
    ProductName,
    ProviderName

name: CYFIRMA - Brand Intelligence - Malicious Mobile App Medium Rule
severity: Medium
description: |
  "This analytic rule detects instances where malicious or unauthorized mobile applications are discovered mimicking legitimate brand assets. 
  Such impersonations may be distributed through unofficial app stores or third-party websites, potentially deceiving customers, harvesting sensitive data, or damaging brand reputation. 
  This alert is triggered when CYFIRMA threat intelligence identifies a suspicious mobile app associated with the organization's brand or product names."  
version: 1.0.1
customDetails:
  AlertUID: AlertUID
  AssetType: AssetType
  AssetValue: AssetValue
  TimeGenerated: TimeGenerated
  LastSeen: LastSeen
  UID: UID
  Description: Description
  Impact: Impact
  FirstSeen: FirstSeen
  RiskScore: RiskScore
  Recommendation: Recommendation
requiredDataConnectors:
- dataTypes:
  - CyfirmaBIMaliciousMobileAppsAlerts_CL
  connectorId: CyfirmaBrandIntelligenceAlertsDC
tactics:
- ResourceDevelopment
- Execution
- DefenseEvasion
- CredentialAccess
- CommandAndControl
relevantTechniques:
- T1406
- T1414
- T1437
- T1583.001
- T1204.002
kind: Scheduled
triggerThreshold: 0
status: Available
queryPeriod: 5m
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: AllEntities
    enabled: false
  createIncident: true
alertDetailsOverride:
  alertDescriptionFormat: '{{Description}} '
  alertDisplayNameFormat: 'CYFIRMA - Medium Severity Alert: Malicious Mobile App Impersonating Brand Detected - {{AssetType}} - {{AssetValue}} '
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
triggerOperator: gt
query: |
  // Medium severity - Malicious Mobile App Impersonation
  let timeFrame = 5m;
  CyfirmaBIMaliciousMobileAppsAlerts_CL
  | where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=asset_value,
      Impact=impact,
      Recommendation=recommendation,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT'
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Impact,
      Recommendation,
      ProductName,
      ProviderName  
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Brand Intelligence/Analytic Rules/BIMaliciousMobileAppMediumRule.yaml
id: b73e6628-d44c-4ad3-a801-ea225c5744ee