CYFIRMA - Social and Public Exposure - Social Media Threats Activity Detected Rule

// Medium severity - Social and Public Exposure - Social Media Threats Activity Detected
let timeFrame = 5m;
CyfirmaSPESocialThreatAlerts_CL
| where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
| extend
    Description=description,
    FirstSeen=first_seen,
    LastSeen=last_seen,
    RiskScore=risk_score,
    AlertUID=alert_uid,
    UID=uid,
    AssetType=asset_type,
    AssetValue=signature,
    Source=source,
    Impact=impact,
    Recommendation=recommendation,
    ProviderName='CYFIRMA',
    ProductName='DeCYFIR/DeTCT',
    AlertTitle=Alert_title
| project
    TimeGenerated,
    Description,
    RiskScore,
    FirstSeen,
    LastSeen,
    AlertUID,
    UID,
    AssetType,
    AssetValue,
    Source,
    Impact,
    Recommendation,
    ProductName,
    ProviderName,
    AlertTitle

description: |
  "This rule detects medium-severity social threat alerts from CYFIRMA related to impersonation, fake profiles, or malicious activities on social platforms that may target executives, brands, or employees. 
  These threats can result in reputational damage, phishing, or social engineering attacks. 
  Immediate investigation and takedown are recommended to minimize risk."  
kind: Scheduled
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Digital Risk/Analytic Rules/SPESocialMediaThreatsMediumRule.yaml
alertDetailsOverride:
  alertDisplayNameFormat: 'CYFIRMA - Medium Severity Alert: Social Media Threat Activity Detected - {{AlertTitle}} '
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
  alertDescriptionFormat: '{{Description}} '
severity: Medium
triggerOperator: gt
triggerThreshold: 0
name: CYFIRMA - Social and Public Exposure -  Social Media Threats  Activity Detected Rule
customDetails:
  Description: Description
  FirstSeen: FirstSeen
  AlertUID: AlertUID
  Recommendation: Recommendation
  RiskScore: RiskScore
  AssetType: AssetType
  TimeGenerated: TimeGenerated
  UID: UID
  AssetValue: AssetValue
  Source: Source
  LastSeen: LastSeen
  Impact: Impact
requiredDataConnectors:
- connectorId: CyfirmaDigitalRiskAlertsConnector
  dataTypes:
  - CyfirmaSPESocialThreatAlerts_CL
id: b8149f2f-54da-4f7b-98e1-c01ca47e1e55
queryPeriod: 5m
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    matchingMethod: AllEntities
    reopenClosedIncident: false
    lookbackDuration: PT5H
tactics:
- ResourceDevelopment
- Reconnaissance
- InitialAccess
- Impact
relevantTechniques:
- T1585.001
- T1593
- T1566
- T1582
- T1491
status: Available
version: 1.0.1
query: |
  // Medium severity - Social and Public Exposure - Social Media Threats Activity Detected
  let timeFrame = 5m;
  CyfirmaSPESocialThreatAlerts_CL
  | where severity == 'High' and TimeGenerated between (ago(timeFrame) .. now())
  | extend
      Description=description,
      FirstSeen=first_seen,
      LastSeen=last_seen,
      RiskScore=risk_score,
      AlertUID=alert_uid,
      UID=uid,
      AssetType=asset_type,
      AssetValue=signature,
      Source=source,
      Impact=impact,
      Recommendation=recommendation,
      ProviderName='CYFIRMA',
      ProductName='DeCYFIR/DeTCT',
      AlertTitle=Alert_title
  | project
      TimeGenerated,
      Description,
      RiskScore,
      FirstSeen,
      LastSeen,
      AlertUID,
      UID,
      AssetType,
      AssetValue,
      Source,
      Impact,
      Recommendation,
      ProductName,
      ProviderName,
      AlertTitle