Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CYFIRMA - Customer Accounts Leaks Detection Rule

Back
Idebd1bf8d-aa18-4e66-9cad-555b71a290f1
RulenameCYFIRMA - Customer Accounts Leaks Detection Rule
Description“Detects recent leaks of customer account credentials based on CYFIRMA’s threat intelligence.

This rule surfaces the latest credential exposures, including email, username, and breach metadata.

It enables security teams to quickly identify and investigate leaked customer data from third-party breaches, dark web listings, or public repositories.”
SeverityHigh
TacticsCredentialAccess
InitialAccess
TechniquesT1552
T1078
Required data connectorsCyfirmaCompromisedAccountsDataConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/CustomerAccountsLeaksRule.yaml
Version1.0.0
Arm templateebd1bf8d-aa18-4e66-9cad-555b71a290f1.json
Deploy To Azure
// Customer Accounts Leaks - Latest per UID
let timeFrame = 5m;
CyfirmaCompromisedAccounts_CL
| where TimeGenerated between (ago(timeFrame) .. now())
    and Category has "Customer Accounts Leaks"
| extend 
    ProviderName = 'CYFIRMA',
    ProductName = 'DeCYFIR/DeTCT'
| summarize arg_max(TimeGenerated, 
    user_name,
    email,
    url,
    password,
    breach_date,
    first_seen,
    last_seen,
    impact,
    recommendations,
    description,
    source,
    ProductName,
    ProviderName
) by uid
| sort by TimeGenerated desc
tactics:
- CredentialAccess
- InitialAccess
name: CYFIRMA - Customer Accounts Leaks Detection Rule
suppressionEnabled: true
requiredDataConnectors:
- connectorId: CyfirmaCompromisedAccountsDataConnector
  dataTypes:
  - CyfirmaCompromisedAccounts_CL
query: |
  // Customer Accounts Leaks - Latest per UID
  let timeFrame = 5m;
  CyfirmaCompromisedAccounts_CL
  | where TimeGenerated between (ago(timeFrame) .. now())
      and Category has "Customer Accounts Leaks"
  | extend 
      ProviderName = 'CYFIRMA',
      ProductName = 'DeCYFIR/DeTCT'
  | summarize arg_max(TimeGenerated, 
      user_name,
      email,
      url,
      password,
      breach_date,
      first_seen,
      last_seen,
      impact,
      recommendations,
      description,
      source,
      ProductName,
      ProviderName
  ) by uid
  | sort by TimeGenerated desc  
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1552
- T1078
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    reopenClosedIncident: false
    lookbackDuration: 5h
    enabled: false
description: |
  "Detects recent leaks of customer account credentials based on CYFIRMA's threat intelligence.
    This rule surfaces the latest credential exposures, including email, username, and breach metadata.
    It enables security teams to quickly identify and investigate leaked customer data from third-party breaches, dark web listings, or public repositories."  
triggerOperator: gt
queryPeriod: 5m
suppressionDuration: 6h
severity: High
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: user_name
  - identifier: UPNSuffix
    columnName: email
  entityType: Account
- fieldMappings:
  - identifier: Url
    columnName: url
  entityType: URL
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/CustomerAccountsLeaksRule.yaml
version: 1.0.0
alertDetailsOverride:
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
  alertDisplayNameFormat: Customer Leak - {{user_name}} - {{email}}
  alertDescriptionFormat: '{{description}}'
triggerThreshold: 0
id: ebd1bf8d-aa18-4e66-9cad-555b71a290f1
queryFrequency: 5m
kind: Scheduled
status: Available
customDetails:
  Recommendations: recommendations
  Description: description
  FirstSeen: first_seen
  TimeGenerated: TimeGenerated
  Source: source
  BreachDate: breach_date
  LastSeen: last_seen
  Impact: impact
  UID: uid
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ebd1bf8d-aa18-4e66-9cad-555b71a290f1')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ebd1bf8d-aa18-4e66-9cad-555b71a290f1')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{description}}",
          "alertDisplayNameFormat": "Customer Leak - {{user_name}} - {{email}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            },
            {
              "alertProperty": "ProviderName",
              "value": "ProviderName"
            }
          ]
        },
        "alertRuleTemplateName": "ebd1bf8d-aa18-4e66-9cad-555b71a290f1",
        "customDetails": {
          "BreachDate": "breach_date",
          "Description": "description",
          "FirstSeen": "first_seen",
          "Impact": "impact",
          "LastSeen": "last_seen",
          "Recommendations": "recommendations",
          "Source": "source",
          "TimeGenerated": "TimeGenerated",
          "UID": "uid"
        },
        "description": "\"Detects recent leaks of customer account credentials based on CYFIRMA's threat intelligence.\n  This rule surfaces the latest credential exposures, including email, username, and breach metadata.\n  It enables security teams to quickly identify and investigate leaked customer data from third-party breaches, dark web listings, or public repositories.\"\n",
        "displayName": "CYFIRMA - Customer Accounts Leaks Detection Rule",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "user_name",
                "identifier": "Name"
              },
              {
                "columnName": "email",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "url",
                "identifier": "Url"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/CustomerAccountsLeaksRule.yaml",
        "query": "// Customer Accounts Leaks - Latest per UID\nlet timeFrame = 5m;\nCyfirmaCompromisedAccounts_CL\n| where TimeGenerated between (ago(timeFrame) .. now())\n    and Category has \"Customer Accounts Leaks\"\n| extend \n    ProviderName = 'CYFIRMA',\n    ProductName = 'DeCYFIR/DeTCT'\n| summarize arg_max(TimeGenerated, \n    user_name,\n    email,\n    url,\n    password,\n    breach_date,\n    first_seen,\n    last_seen,\n    impact,\n    recommendations,\n    description,\n    source,\n    ProductName,\n    ProviderName\n) by uid\n| sort by TimeGenerated desc\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT6H",
        "suppressionEnabled": true,
        "tactics": [
          "CredentialAccess",
          "InitialAccess"
        ],
        "techniques": [
          "T1078",
          "T1552"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}