Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CYFIRMA - Customer Accounts Leaks Detection Rule

Back
Idebd1bf8d-aa18-4e66-9cad-555b71a290f1
RulenameCYFIRMA - Customer Accounts Leaks Detection Rule
Description“Detects recent leaks of customer account credentials based on CYFIRMA’s threat intelligence.

This rule surfaces the latest credential exposures, including email, username, and breach metadata.

It enables security teams to quickly identify and investigate leaked customer data from third-party breaches, dark web listings, or public repositories.”
SeverityHigh
TacticsCredentialAccess
InitialAccess
TechniquesT1552
T1078
Required data connectorsCyfirmaCompromisedAccountsDataConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/CustomerAccountsLeaksRule.yaml
Version1.0.0
Arm templateebd1bf8d-aa18-4e66-9cad-555b71a290f1.json
Deploy To Azure
// Customer Accounts Leaks - Latest per UID
let timeFrame = 5m;
CyfirmaCompromisedAccounts_CL
| where TimeGenerated between (ago(timeFrame) .. now())
    and Category has "Customer Accounts Leaks"
| extend 
    ProviderName = 'CYFIRMA',
    ProductName = 'DeCYFIR/DeTCT'
| summarize arg_max(TimeGenerated, 
    user_name,
    email,
    url,
    password,
    breach_date,
    first_seen,
    last_seen,
    impact,
    recommendations,
    description,
    source,
    ProductName,
    ProviderName
) by uid
| sort by TimeGenerated desc
entityMappings:
- fieldMappings:
  - columnName: user_name
    identifier: Name
  - columnName: email
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: url
    identifier: Url
  entityType: URL
triggerThreshold: 0
severity: High
suppressionDuration: 6h
queryFrequency: 5m
queryPeriod: 5m
customDetails:
  TimeGenerated: TimeGenerated
  LastSeen: last_seen
  Recommendations: recommendations
  BreachDate: breach_date
  Impact: impact
  FirstSeen: first_seen
  Description: description
  UID: uid
  Source: source
relevantTechniques:
- T1552
- T1078
alertDetailsOverride:
  alertDisplayNameFormat: Customer Leak - {{user_name}} - {{email}}
  alertDescriptionFormat: '{{description}}'
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: ProviderName
    value: ProviderName
triggerOperator: gt
kind: Scheduled
id: ebd1bf8d-aa18-4e66-9cad-555b71a290f1
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 5h
    enabled: false
    matchingMethod: AllEntities
    reopenClosedIncident: false
requiredDataConnectors:
- connectorId: CyfirmaCompromisedAccountsDataConnector
  dataTypes:
  - CyfirmaCompromisedAccounts_CL
version: 1.0.0
name: CYFIRMA - Customer Accounts Leaks Detection Rule
eventGroupingSettings:
  aggregationKind: AlertPerResult
tactics:
- CredentialAccess
- InitialAccess
description: |
  "Detects recent leaks of customer account credentials based on CYFIRMA's threat intelligence.
    This rule surfaces the latest credential exposures, including email, username, and breach metadata.
    It enables security teams to quickly identify and investigate leaked customer data from third-party breaches, dark web listings, or public repositories."  
query: |
  // Customer Accounts Leaks - Latest per UID
  let timeFrame = 5m;
  CyfirmaCompromisedAccounts_CL
  | where TimeGenerated between (ago(timeFrame) .. now())
      and Category has "Customer Accounts Leaks"
  | extend 
      ProviderName = 'CYFIRMA',
      ProductName = 'DeCYFIR/DeTCT'
  | summarize arg_max(TimeGenerated, 
      user_name,
      email,
      url,
      password,
      breach_date,
      first_seen,
      last_seen,
      impact,
      recommendations,
      description,
      source,
      ProductName,
      ProviderName
  ) by uid
  | sort by TimeGenerated desc  
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/CustomerAccountsLeaksRule.yaml
suppressionEnabled: true
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ebd1bf8d-aa18-4e66-9cad-555b71a290f1')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ebd1bf8d-aa18-4e66-9cad-555b71a290f1')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{description}}",
          "alertDisplayNameFormat": "Customer Leak - {{user_name}} - {{email}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            },
            {
              "alertProperty": "ProviderName",
              "value": "ProviderName"
            }
          ]
        },
        "alertRuleTemplateName": "ebd1bf8d-aa18-4e66-9cad-555b71a290f1",
        "customDetails": {
          "BreachDate": "breach_date",
          "Description": "description",
          "FirstSeen": "first_seen",
          "Impact": "impact",
          "LastSeen": "last_seen",
          "Recommendations": "recommendations",
          "Source": "source",
          "TimeGenerated": "TimeGenerated",
          "UID": "uid"
        },
        "description": "\"Detects recent leaks of customer account credentials based on CYFIRMA's threat intelligence.\n  This rule surfaces the latest credential exposures, including email, username, and breach metadata.\n  It enables security teams to quickly identify and investigate leaked customer data from third-party breaches, dark web listings, or public repositories.\"\n",
        "displayName": "CYFIRMA - Customer Accounts Leaks Detection Rule",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "user_name",
                "identifier": "Name"
              },
              {
                "columnName": "email",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "url",
                "identifier": "Url"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/CustomerAccountsLeaksRule.yaml",
        "query": "// Customer Accounts Leaks - Latest per UID\nlet timeFrame = 5m;\nCyfirmaCompromisedAccounts_CL\n| where TimeGenerated between (ago(timeFrame) .. now())\n    and Category has \"Customer Accounts Leaks\"\n| extend \n    ProviderName = 'CYFIRMA',\n    ProductName = 'DeCYFIR/DeTCT'\n| summarize arg_max(TimeGenerated, \n    user_name,\n    email,\n    url,\n    password,\n    breach_date,\n    first_seen,\n    last_seen,\n    impact,\n    recommendations,\n    description,\n    source,\n    ProductName,\n    ProviderName\n) by uid\n| sort by TimeGenerated desc\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT6H",
        "suppressionEnabled": true,
        "tactics": [
          "CredentialAccess",
          "InitialAccess"
        ],
        "techniques": [
          "T1078",
          "T1552"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}