CYFIRMA - Social and Public Exposure - Social Media Threats Activity Detected Rule
| Id | b8149f2f-54da-4f7b-98e1-c01ca47e1e55 |
| Rulename | CYFIRMA - Social and Public Exposure - Social Media Threats Activity Detected Rule |
| Description | “This rule detects medium-severity social threat alerts from CYFIRMA related to impersonation, fake profiles, or malicious activities on social platforms that may target executives, brands, or employees. These threats can result in reputational damage, phishing, or social engineering attacks. Immediate investigation and takedown are recommended to minimize risk.” |
| Severity | Medium |
| Tactics | ResourceDevelopment Reconnaissance InitialAccess Impact |
| Techniques | T1585.001 T1593 T1566 T1582 T1491 |
| Required data connectors | CyfirmaDigitalRiskAlertsConnector |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPESocialMediaThreatsMediumRule.yaml |
| Version | 1.0.0 |
| Arm template | b8149f2f-54da-4f7b-98e1-c01ca47e1e55.json |
// Medium severity - Social and Public Exposure - Social Media Threats Activity Detected
let timeFrame = 5m;
CyfirmaSPESocialThreatAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
AssetType=asset_type,
AssetValue=signature,
Source=source,
Impact=impact,
Recommendation=recommendation,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT',
AlertTitle=Alert_title
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
AssetType,
AssetValue,
Source,
Impact,
Recommendation,
ProductName,
ProviderName,
AlertTitle
tactics:
- ResourceDevelopment
- Reconnaissance
- InitialAccess
- Impact
name: CYFIRMA - Social and Public Exposure - Social Media Threats Activity Detected Rule
id: b8149f2f-54da-4f7b-98e1-c01ca47e1e55
requiredDataConnectors:
- connectorId: CyfirmaDigitalRiskAlertsConnector
dataTypes:
- CyfirmaSPESocialThreatAlerts_CL
query: |
// Medium severity - Social and Public Exposure - Social Media Threats Activity Detected
let timeFrame = 5m;
CyfirmaSPESocialThreatAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
Description=description,
FirstSeen=first_seen,
LastSeen=last_seen,
RiskScore=risk_score,
AlertUID=alert_uid,
UID=uid,
AssetType=asset_type,
AssetValue=signature,
Source=source,
Impact=impact,
Recommendation=recommendation,
ProviderName='CYFIRMA',
ProductName='DeCYFIR/DeTCT',
AlertTitle=Alert_title
| project
TimeGenerated,
Description,
RiskScore,
FirstSeen,
LastSeen,
AlertUID,
UID,
AssetType,
AssetValue,
Source,
Impact,
Recommendation,
ProductName,
ProviderName,
AlertTitle
eventGroupingSettings:
aggregationKind: AlertPerResult
relevantTechniques:
- T1585.001
- T1593
- T1566
- T1582
- T1491
incidentConfiguration:
createIncident: true
groupingConfiguration:
matchingMethod: AllEntities
reopenClosedIncident: false
lookbackDuration: 5h
enabled: false
description: |
"This rule detects medium-severity social threat alerts from CYFIRMA related to impersonation, fake profiles, or malicious activities on social platforms that may target executives, brands, or employees.
These threats can result in reputational damage, phishing, or social engineering attacks.
Immediate investigation and takedown are recommended to minimize risk."
triggerOperator: gt
queryPeriod: 5m
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPESocialMediaThreatsMediumRule.yaml
version: 1.0.0
alertDetailsOverride:
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: ProviderName
value: ProviderName
alertDisplayNameFormat: 'CYFIRMA - Medium Severity Alert: Social Media Threat Activity Detected - {{AlertTitle}} '
alertDescriptionFormat: '{{Description}} '
triggerThreshold: 0
queryFrequency: 5m
kind: Scheduled
status: Available
customDetails:
Source: Source
Impact: Impact
AssetType: AssetType
AssetValue: AssetValue
TimeGenerated: TimeGenerated
Description: Description
AlertUID: AlertUID
Recommendation: Recommendation
UID: UID
LastSeen: LastSeen
RiskScore: RiskScore
FirstSeen: FirstSeen
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b8149f2f-54da-4f7b-98e1-c01ca47e1e55')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b8149f2f-54da-4f7b-98e1-c01ca47e1e55')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{Description}} ",
"alertDisplayNameFormat": "CYFIRMA - Medium Severity Alert: Social Media Threat Activity Detected - {{AlertTitle}} ",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "b8149f2f-54da-4f7b-98e1-c01ca47e1e55",
"customDetails": {
"AlertUID": "AlertUID",
"AssetType": "AssetType",
"AssetValue": "AssetValue",
"Description": "Description",
"FirstSeen": "FirstSeen",
"Impact": "Impact",
"LastSeen": "LastSeen",
"Recommendation": "Recommendation",
"RiskScore": "RiskScore",
"Source": "Source",
"TimeGenerated": "TimeGenerated",
"UID": "UID"
},
"description": "\"This rule detects medium-severity social threat alerts from CYFIRMA related to impersonation, fake profiles, or malicious activities on social platforms that may target executives, brands, or employees. \nThese threats can result in reputational damage, phishing, or social engineering attacks. \nImmediate investigation and takedown are recommended to minimize risk.\"\n",
"displayName": "CYFIRMA - Social and Public Exposure - Social Media Threats Activity Detected Rule",
"enabled": true,
"entityMappings": null,
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPESocialMediaThreatsMediumRule.yaml",
"query": "// Medium severity - Social and Public Exposure - Social Media Threats Activity Detected\nlet timeFrame = 5m;\nCyfirmaSPESocialThreatAlerts_CL\n| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())\n| extend\n Description=description,\n FirstSeen=first_seen,\n LastSeen=last_seen,\n RiskScore=risk_score,\n AlertUID=alert_uid,\n UID=uid,\n AssetType=asset_type,\n AssetValue=signature,\n Source=source,\n Impact=impact,\n Recommendation=recommendation,\n ProviderName='CYFIRMA',\n ProductName='DeCYFIR/DeTCT',\n AlertTitle=Alert_title\n| project\n TimeGenerated,\n Description,\n RiskScore,\n FirstSeen,\n LastSeen,\n AlertUID,\n UID,\n AssetType,\n AssetValue,\n Source,\n Impact,\n Recommendation,\n ProductName,\n ProviderName,\n AlertTitle\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"status": "Available",
"subTechniques": [
"T1585.001"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Impact",
"InitialAccess",
"Reconnaissance",
"ResourceDevelopment"
],
"techniques": [
"T1491",
"T1566",
"T1585",
"T1593"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}