CYFIRMA - Customer Accounts Leaks Detection Rule
| Id | ebd1bf8d-aa18-4e66-9cad-555b71a290f1 |
| Rulename | CYFIRMA - Customer Accounts Leaks Detection Rule |
| Description | “Detects recent leaks of customer account credentials based on CYFIRMA’s threat intelligence. This rule surfaces the latest credential exposures, including email, username, and breach metadata. It enables security teams to quickly identify and investigate leaked customer data from third-party breaches, dark web listings, or public repositories.” |
| Severity | High |
| Tactics | CredentialAccess InitialAccess |
| Techniques | T1552 T1078 |
| Required data connectors | CyfirmaCompromisedAccountsDataConnector |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/CustomerAccountsLeaksRule.yaml |
| Version | 1.0.1 |
| Arm template | ebd1bf8d-aa18-4e66-9cad-555b71a290f1.json |
// Customer Accounts Leaks - Latest per UID
let timeFrame = 5m;
CyfirmaCompromisedAccounts_CL
| where TimeGenerated between (ago(timeFrame) .. now())
and Category has "Customer Accounts Leaks"
| extend
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| summarize arg_max(TimeGenerated,
user_name,
email,
url,
password,
breach_date,
first_seen,
last_seen,
impact,
recommendations,
description,
source,
ProductName,
ProviderName
) by uid
| sort by TimeGenerated desc
queryPeriod: 5m
relevantTechniques:
- T1552
- T1078
kind: Scheduled
query: |
// Customer Accounts Leaks - Latest per UID
let timeFrame = 5m;
CyfirmaCompromisedAccounts_CL
| where TimeGenerated between (ago(timeFrame) .. now())
and Category has "Customer Accounts Leaks"
| extend
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| summarize arg_max(TimeGenerated,
user_name,
email,
url,
password,
breach_date,
first_seen,
last_seen,
impact,
recommendations,
description,
source,
ProductName,
ProviderName
) by uid
| sort by TimeGenerated desc
triggerThreshold: 0
triggerOperator: gt
tactics:
- CredentialAccess
- InitialAccess
queryFrequency: 5m
suppressionEnabled: true
incidentConfiguration:
groupingConfiguration:
enabled: false
matchingMethod: AllEntities
lookbackDuration: PT5H
reopenClosedIncident: false
createIncident: true
eventGroupingSettings:
aggregationKind: AlertPerResult
alertDetailsOverride:
alertDisplayNameFormat: Customer Leak - {{user_name}} - {{email}}
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: ProviderName
value: ProviderName
alertDescriptionFormat: '{{description}}'
id: ebd1bf8d-aa18-4e66-9cad-555b71a290f1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/CustomerAccountsLeaksRule.yaml
version: 1.0.1
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: user_name
- identifier: UPNSuffix
columnName: email
- entityType: URL
fieldMappings:
- identifier: Url
columnName: url
suppressionDuration: 6h
customDetails:
TimeGenerated: TimeGenerated
LastSeen: last_seen
Impact: impact
UID: uid
Source: source
FirstSeen: first_seen
Recommendations: recommendations
Description: description
BreachDate: breach_date
status: Available
name: CYFIRMA - Customer Accounts Leaks Detection Rule
severity: High
requiredDataConnectors:
- dataTypes:
- CyfirmaCompromisedAccounts_CL
connectorId: CyfirmaCompromisedAccountsDataConnector
description: |
"Detects recent leaks of customer account credentials based on CYFIRMA's threat intelligence.
This rule surfaces the latest credential exposures, including email, username, and breach metadata.
It enables security teams to quickly identify and investigate leaked customer data from third-party breaches, dark web listings, or public repositories."