CYFIRMA - Customer Accounts Leaks Detection Rule
| Id | ebd1bf8d-aa18-4e66-9cad-555b71a290f1 |
| Rulename | CYFIRMA - Customer Accounts Leaks Detection Rule |
| Description | “Detects recent leaks of customer account credentials based on CYFIRMA’s threat intelligence. This rule surfaces the latest credential exposures, including email, username, and breach metadata. It enables security teams to quickly identify and investigate leaked customer data from third-party breaches, dark web listings, or public repositories.” |
| Severity | High |
| Tactics | CredentialAccess InitialAccess |
| Techniques | T1552 T1078 |
| Required data connectors | CyfirmaCompromisedAccountsDataConnector |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/CustomerAccountsLeaksRule.yaml |
| Version | 1.0.1 |
| Arm template | ebd1bf8d-aa18-4e66-9cad-555b71a290f1.json |
// Customer Accounts Leaks - Latest per UID
let timeFrame = 5m;
CyfirmaCompromisedAccounts_CL
| where TimeGenerated between (ago(timeFrame) .. now())
and Category has "Customer Accounts Leaks"
| extend
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| summarize arg_max(TimeGenerated,
user_name,
email,
url,
password,
breach_date,
first_seen,
last_seen,
impact,
recommendations,
description,
source,
ProductName,
ProviderName
) by uid
| sort by TimeGenerated desc
kind: Scheduled
customDetails:
UID: uid
Description: description
BreachDate: breach_date
TimeGenerated: TimeGenerated
Impact: impact
FirstSeen: first_seen
Recommendations: recommendations
Source: source
LastSeen: last_seen
suppressionDuration: 6h
entityMappings:
- entityType: Account
fieldMappings:
- columnName: user_name
identifier: Name
- columnName: email
identifier: UPNSuffix
- entityType: URL
fieldMappings:
- columnName: url
identifier: Url
description: |
"Detects recent leaks of customer account credentials based on CYFIRMA's threat intelligence.
This rule surfaces the latest credential exposures, including email, username, and breach metadata.
It enables security teams to quickly identify and investigate leaked customer data from third-party breaches, dark web listings, or public repositories."
severity: High
queryFrequency: 5m
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
matchingMethod: AllEntities
lookbackDuration: PT5H
enabled: false
createIncident: true
triggerThreshold: 0
relevantTechniques:
- T1552
- T1078
eventGroupingSettings:
aggregationKind: AlertPerResult
suppressionEnabled: true
status: Available
version: 1.0.1
name: CYFIRMA - Customer Accounts Leaks Detection Rule
id: ebd1bf8d-aa18-4e66-9cad-555b71a290f1
query: |
// Customer Accounts Leaks - Latest per UID
let timeFrame = 5m;
CyfirmaCompromisedAccounts_CL
| where TimeGenerated between (ago(timeFrame) .. now())
and Category has "Customer Accounts Leaks"
| extend
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| summarize arg_max(TimeGenerated,
user_name,
email,
url,
password,
breach_date,
first_seen,
last_seen,
impact,
recommendations,
description,
source,
ProductName,
ProviderName
) by uid
| sort by TimeGenerated desc
requiredDataConnectors:
- dataTypes:
- CyfirmaCompromisedAccounts_CL
connectorId: CyfirmaCompromisedAccountsDataConnector
tactics:
- CredentialAccess
- InitialAccess
alertDetailsOverride:
alertDisplayNameFormat: Customer Leak - {{user_name}} - {{email}}
alertDescriptionFormat: '{{description}}'
alertDynamicProperties:
- value: ProductName
alertProperty: ProductName
- value: ProviderName
alertProperty: ProviderName
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/CustomerAccountsLeaksRule.yaml
queryPeriod: 5m
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ebd1bf8d-aa18-4e66-9cad-555b71a290f1')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ebd1bf8d-aa18-4e66-9cad-555b71a290f1')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{description}}",
"alertDisplayNameFormat": "Customer Leak - {{user_name}} - {{email}}",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "ebd1bf8d-aa18-4e66-9cad-555b71a290f1",
"customDetails": {
"BreachDate": "breach_date",
"Description": "description",
"FirstSeen": "first_seen",
"Impact": "impact",
"LastSeen": "last_seen",
"Recommendations": "recommendations",
"Source": "source",
"TimeGenerated": "TimeGenerated",
"UID": "uid"
},
"description": "\"Detects recent leaks of customer account credentials based on CYFIRMA's threat intelligence.\n This rule surfaces the latest credential exposures, including email, username, and breach metadata.\n It enables security teams to quickly identify and investigate leaked customer data from third-party breaches, dark web listings, or public repositories.\"\n",
"displayName": "CYFIRMA - Customer Accounts Leaks Detection Rule",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "user_name",
"identifier": "Name"
},
{
"columnName": "email",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "url",
"identifier": "Url"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/CustomerAccountsLeaksRule.yaml",
"query": "// Customer Accounts Leaks - Latest per UID\nlet timeFrame = 5m;\nCyfirmaCompromisedAccounts_CL\n| where TimeGenerated between (ago(timeFrame) .. now())\n and Category has \"Customer Accounts Leaks\"\n| extend \n ProviderName = 'CYFIRMA',\n ProductName = 'DeCYFIR/DeTCT'\n| summarize arg_max(TimeGenerated, \n user_name,\n email,\n url,\n password,\n breach_date,\n first_seen,\n last_seen,\n impact,\n recommendations,\n description,\n source,\n ProductName,\n ProviderName\n) by uid\n| sort by TimeGenerated desc\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT6H",
"suppressionEnabled": true,
"tactics": [
"CredentialAccess",
"InitialAccess"
],
"techniques": [
"T1078",
"T1552"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}