CYFIRMA - Social and Public Exposure - Social Media Threats Activity Detected Rule

// Medium severity - Social and Public Exposure - Social Media Threats Activity Detected
let timeFrame = 5m;
CyfirmaSPESocialThreatAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=signature,
    Source=source,
    Impact=impact,
    Recommendation=recommendation,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT',
    AlertTitle=Alert_title
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Source,
    Impact,
    Recommendation,
    ProductName,
    ProviderName,
    AlertTitle

alertDetailsOverride:
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
  alertDescriptionFormat: '{{Description}} '
  alertDisplayNameFormat: 'CYFIRMA - Medium Severity Alert: Social Media Threat Activity Detected - {{AlertTitle}} '
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    lookbackDuration: PT5H
    reopenClosedIncident: false
    enabled: false
requiredDataConnectors:
- dataTypes:
  - CyfirmaSPESocialThreatAlerts_CL
  connectorId: CyfirmaDigitalRiskAlertsConnector
relevantTechniques:
- T1585.001
- T1593
- T1566
- T1582
- T1491
triggerOperator: gt
version: 1.0.1
queryFrequency: 5m
severity: Medium
description: |
  "This rule detects medium-severity social threat alerts from CYFIRMA related to impersonation, fake profiles, or malicious activities on social platforms that may target executives, brands, or employees. 
  These threats can result in reputational damage, phishing, or social engineering attacks. 
  Immediate investigation and takedown are recommended to minimize risk."  
triggerThreshold: 0
customDetails:
  AssetValue: AssetValue
  Description: Description
  LastSeen: LastSeen
  AssetType: AssetType
  FirstSeen: FirstSeen
  RiskScore: RiskScore
  Recommendation: Recommendation
  AlertUID: AlertUID
  Source: Source
  Impact: Impact
  UID: UID
  TimeGenerated: TimeGenerated
name: CYFIRMA - Social and Public Exposure -  Social Media Threats  Activity Detected Rule
query: |
  // Medium severity - Social and Public Exposure - Social Media Threats Activity Detected
  let timeFrame = 5m;
  CyfirmaSPESocialThreatAlerts_CL
  | where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=signature,
      Source=source,
      Impact=impact,
      Recommendation=recommendation,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT',
      AlertTitle=Alert_title
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Source,
      Impact,
      Recommendation,
      ProductName,
      ProviderName,
      AlertTitle  
tactics:
- ResourceDevelopment
- Reconnaissance
- InitialAccess
- Impact
queryPeriod: 5m
kind: Scheduled
id: b8149f2f-54da-4f7b-98e1-c01ca47e1e55
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPESocialMediaThreatsMediumRule.yaml
eventGroupingSettings:
  aggregationKind: AlertPerResult
status: Available