CYFIRMA - Social and Public Exposure - Social Media Threats Activity Detected Rule

// Medium severity - Social and Public Exposure - Social Media Threats Activity Detected
let timeFrame = 5m;
CyfirmaSPESocialThreatAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=signature,
    Source=source,
    Impact=impact,
    Recommendation=recommendation,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT',
    AlertTitle=Alert_title
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Source,
    Impact,
    Recommendation,
    ProductName,
    ProviderName,
    AlertTitle

queryPeriod: 5m
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: AllEntities
    enabled: false
  createIncident: true
severity: Medium
description: |
  "This rule detects medium-severity social threat alerts from CYFIRMA related to impersonation, fake profiles, or malicious activities on social platforms that may target executives, brands, or employees. 
  These threats can result in reputational damage, phishing, or social engineering attacks. 
  Immediate investigation and takedown are recommended to minimize risk."  
status: Available
triggerOperator: gt
kind: Scheduled
tactics:
- ResourceDevelopment
- Reconnaissance
- InitialAccess
- Impact
relevantTechniques:
- T1585.001
- T1593
- T1566
- T1582
- T1491
id: b8149f2f-54da-4f7b-98e1-c01ca47e1e55
triggerThreshold: 0
queryFrequency: 5m
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPESocialMediaThreatsMediumRule.yaml
query: |
  // Medium severity - Social and Public Exposure - Social Media Threats Activity Detected
  let timeFrame = 5m;
  CyfirmaSPESocialThreatAlerts_CL
  | where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=signature,
      Source=source,
      Impact=impact,
      Recommendation=recommendation,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT',
      AlertTitle=Alert_title
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Source,
      Impact,
      Recommendation,
      ProductName,
      ProviderName,
      AlertTitle  
customDetails:
  LastSeen: LastSeen
  AssetValue: AssetValue
  Description: Description
  AssetType: AssetType
  RiskScore: RiskScore
  TimeGenerated: TimeGenerated
  AlertUID: AlertUID
  Source: Source
  UID: UID
  Impact: Impact
  Recommendation: Recommendation
  FirstSeen: FirstSeen
requiredDataConnectors:
- dataTypes:
  - CyfirmaSPESocialThreatAlerts_CL
  connectorId: CyfirmaDigitalRiskAlertsConnector
alertDetailsOverride:
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
  alertDisplayNameFormat: 'CYFIRMA - Medium Severity Alert: Social Media Threat Activity Detected - {{AlertTitle}} '
  alertDescriptionFormat: '{{Description}} '
eventGroupingSettings:
  aggregationKind: AlertPerResult
name: CYFIRMA - Social and Public Exposure -  Social Media Threats  Activity Detected Rule