CYFIRMA - Customer Accounts Leaks Detection Rule
| Id | ebd1bf8d-aa18-4e66-9cad-555b71a290f1 |
| Rulename | CYFIRMA - Customer Accounts Leaks Detection Rule |
| Description | “Detects recent leaks of customer account credentials based on CYFIRMA’s threat intelligence. This rule surfaces the latest credential exposures, including email, username, and breach metadata. It enables security teams to quickly identify and investigate leaked customer data from third-party breaches, dark web listings, or public repositories.” |
| Severity | High |
| Tactics | CredentialAccess InitialAccess |
| Techniques | T1552 T1078 |
| Required data connectors | CyfirmaCompromisedAccountsDataConnector |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/CustomerAccountsLeaksRule.yaml |
| Version | 1.0.1 |
| Arm template | ebd1bf8d-aa18-4e66-9cad-555b71a290f1.json |
// Customer Accounts Leaks - Latest per UID
let timeFrame = 5m;
CyfirmaCompromisedAccounts_CL
| where TimeGenerated between (ago(timeFrame) .. now())
and Category has "Customer Accounts Leaks"
| extend
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| summarize arg_max(TimeGenerated,
user_name,
email,
url,
password,
breach_date,
first_seen,
last_seen,
impact,
recommendations,
description,
source,
ProductName,
ProviderName
) by uid
| sort by TimeGenerated desc
name: CYFIRMA - Customer Accounts Leaks Detection Rule
eventGroupingSettings:
aggregationKind: AlertPerResult
alertDetailsOverride:
alertDynamicProperties:
- alertProperty: ProductName
value: ProductName
- alertProperty: ProviderName
value: ProviderName
alertDisplayNameFormat: Customer Leak - {{user_name}} - {{email}}
alertDescriptionFormat: '{{description}}'
id: ebd1bf8d-aa18-4e66-9cad-555b71a290f1
triggerThreshold: 0
requiredDataConnectors:
- connectorId: CyfirmaCompromisedAccountsDataConnector
dataTypes:
- CyfirmaCompromisedAccounts_CL
kind: Scheduled
triggerOperator: gt
version: 1.0.1
description: |
"Detects recent leaks of customer account credentials based on CYFIRMA's threat intelligence.
This rule surfaces the latest credential exposures, including email, username, and breach metadata.
It enables security teams to quickly identify and investigate leaked customer data from third-party breaches, dark web listings, or public repositories."
severity: High
relevantTechniques:
- T1552
- T1078
suppressionDuration: 6h
queryPeriod: 5m
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: false
reopenClosedIncident: false
matchingMethod: AllEntities
lookbackDuration: PT5H
tactics:
- CredentialAccess
- InitialAccess
customDetails:
Source: source
Description: description
TimeGenerated: TimeGenerated
BreachDate: breach_date
FirstSeen: first_seen
Recommendations: recommendations
LastSeen: last_seen
UID: uid
Impact: impact
queryFrequency: 5m
entityMappings:
- fieldMappings:
- identifier: Name
columnName: user_name
- identifier: UPNSuffix
columnName: email
entityType: Account
- fieldMappings:
- identifier: Url
columnName: url
entityType: URL
status: Available
suppressionEnabled: true
query: |
// Customer Accounts Leaks - Latest per UID
let timeFrame = 5m;
CyfirmaCompromisedAccounts_CL
| where TimeGenerated between (ago(timeFrame) .. now())
and Category has "Customer Accounts Leaks"
| extend
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| summarize arg_max(TimeGenerated,
user_name,
email,
url,
password,
breach_date,
first_seen,
last_seen,
impact,
recommendations,
description,
source,
ProductName,
ProviderName
) by uid
| sort by TimeGenerated desc
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/CustomerAccountsLeaksRule.yaml
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ebd1bf8d-aa18-4e66-9cad-555b71a290f1')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ebd1bf8d-aa18-4e66-9cad-555b71a290f1')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{description}}",
"alertDisplayNameFormat": "Customer Leak - {{user_name}} - {{email}}",
"alertDynamicProperties": [
{
"alertProperty": "ProductName",
"value": "ProductName"
},
{
"alertProperty": "ProviderName",
"value": "ProviderName"
}
]
},
"alertRuleTemplateName": "ebd1bf8d-aa18-4e66-9cad-555b71a290f1",
"customDetails": {
"BreachDate": "breach_date",
"Description": "description",
"FirstSeen": "first_seen",
"Impact": "impact",
"LastSeen": "last_seen",
"Recommendations": "recommendations",
"Source": "source",
"TimeGenerated": "TimeGenerated",
"UID": "uid"
},
"description": "\"Detects recent leaks of customer account credentials based on CYFIRMA's threat intelligence.\n This rule surfaces the latest credential exposures, including email, username, and breach metadata.\n It enables security teams to quickly identify and investigate leaked customer data from third-party breaches, dark web listings, or public repositories.\"\n",
"displayName": "CYFIRMA - Customer Accounts Leaks Detection Rule",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "user_name",
"identifier": "Name"
},
{
"columnName": "email",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "url",
"identifier": "Url"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/CustomerAccountsLeaksRule.yaml",
"query": "// Customer Accounts Leaks - Latest per UID\nlet timeFrame = 5m;\nCyfirmaCompromisedAccounts_CL\n| where TimeGenerated between (ago(timeFrame) .. now())\n and Category has \"Customer Accounts Leaks\"\n| extend \n ProviderName = 'CYFIRMA',\n ProductName = 'DeCYFIR/DeTCT'\n| summarize arg_max(TimeGenerated, \n user_name,\n email,\n url,\n password,\n breach_date,\n first_seen,\n last_seen,\n impact,\n recommendations,\n description,\n source,\n ProductName,\n ProviderName\n) by uid\n| sort by TimeGenerated desc\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT6H",
"suppressionEnabled": true,
"tactics": [
"CredentialAccess",
"InitialAccess"
],
"techniques": [
"T1078",
"T1552"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}