CYFIRMA - Social and Public Exposure - Social Media Threats Activity Detected Rule

// Medium severity - Social and Public Exposure - Social Media Threats Activity Detected
let timeFrame = 5m;
CyfirmaSPESocialThreatAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=signature,
    Source=source,
    Impact=impact,
    Recommendation=recommendation,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT',
    AlertTitle=Alert_title
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Source,
    Impact,
    Recommendation,
    ProductName,
    ProviderName,
    AlertTitle

description: |
  "This rule detects medium-severity social threat alerts from CYFIRMA related to impersonation, fake profiles, or malicious activities on social platforms that may target executives, brands, or employees. 
  These threats can result in reputational damage, phishing, or social engineering attacks. 
  Immediate investigation and takedown are recommended to minimize risk."  
tactics:
- ResourceDevelopment
- Reconnaissance
- InitialAccess
- Impact
requiredDataConnectors:
- dataTypes:
  - CyfirmaSPESocialThreatAlerts_CL
  connectorId: CyfirmaDigitalRiskAlertsConnector
alertDetailsOverride:
  alertDisplayNameFormat: 'CYFIRMA - Medium Severity Alert: Social Media Threat Activity Detected - {{AlertTitle}} '
  alertDescriptionFormat: '{{Description}} '
  alertDynamicProperties:
  - value: ProductName
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
incidentConfiguration:
  groupingConfiguration:
    enabled: false
    lookbackDuration: PT5H
    reopenClosedIncident: false
    matchingMethod: AllEntities
  createIncident: true
id: b8149f2f-54da-4f7b-98e1-c01ca47e1e55
severity: Medium
eventGroupingSettings:
  aggregationKind: AlertPerResult
status: Available
customDetails:
  TimeGenerated: TimeGenerated
  LastSeen: LastSeen
  RiskScore: RiskScore
  FirstSeen: FirstSeen
  UID: UID
  Impact: Impact
  Recommendation: Recommendation
  AssetValue: AssetValue
  AlertUID: AlertUID
  Description: Description
  AssetType: AssetType
  Source: Source
query: |
  // Medium severity - Social and Public Exposure - Social Media Threats Activity Detected
  let timeFrame = 5m;
  CyfirmaSPESocialThreatAlerts_CL
  | where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=signature,
      Source=source,
      Impact=impact,
      Recommendation=recommendation,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT',
      AlertTitle=Alert_title
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Source,
      Impact,
      Recommendation,
      ProductName,
      ProviderName,
      AlertTitle  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPESocialMediaThreatsMediumRule.yaml
kind: Scheduled
queryPeriod: 5m
name: CYFIRMA - Social and Public Exposure -  Social Media Threats  Activity Detected Rule
queryFrequency: 5m
triggerThreshold: 0
relevantTechniques:
- T1585.001
- T1593
- T1566
- T1582
- T1491
version: 1.0.1
triggerOperator: gt