CYFIRMA - Customer Accounts Leaks Detection Rule
| Id | ebd1bf8d-aa18-4e66-9cad-555b71a290f1 |
| Rulename | CYFIRMA - Customer Accounts Leaks Detection Rule |
| Description | “Detects recent leaks of customer account credentials based on CYFIRMA’s threat intelligence. This rule surfaces the latest credential exposures, including email, username, and breach metadata. It enables security teams to quickly identify and investigate leaked customer data from third-party breaches, dark web listings, or public repositories.” |
| Severity | High |
| Tactics | CredentialAccess InitialAccess |
| Techniques | T1552 T1078 |
| Required data connectors | CyfirmaCompromisedAccountsDataConnector |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/CustomerAccountsLeaksRule.yaml |
| Version | 1.0.1 |
| Arm template | ebd1bf8d-aa18-4e66-9cad-555b71a290f1.json |
// Customer Accounts Leaks - Latest per UID
let timeFrame = 5m;
CyfirmaCompromisedAccounts_CL
| where TimeGenerated between (ago(timeFrame) .. now())
and Category has "Customer Accounts Leaks"
| extend
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| summarize arg_max(TimeGenerated,
user_name,
email,
url,
password,
breach_date,
first_seen,
last_seen,
impact,
recommendations,
description,
source,
ProductName,
ProviderName
) by uid
| sort by TimeGenerated desc
queryFrequency: 5m
entityMappings:
- entityType: Account
fieldMappings:
- columnName: user_name
identifier: Name
- columnName: email
identifier: UPNSuffix
- entityType: URL
fieldMappings:
- columnName: url
identifier: Url
eventGroupingSettings:
aggregationKind: AlertPerResult
version: 1.0.1
id: ebd1bf8d-aa18-4e66-9cad-555b71a290f1
suppressionEnabled: true
severity: High
kind: Scheduled
suppressionDuration: 6h
description: |
"Detects recent leaks of customer account credentials based on CYFIRMA's threat intelligence.
This rule surfaces the latest credential exposures, including email, username, and breach metadata.
It enables security teams to quickly identify and investigate leaked customer data from third-party breaches, dark web listings, or public repositories."
relevantTechniques:
- T1552
- T1078
requiredDataConnectors:
- connectorId: CyfirmaCompromisedAccountsDataConnector
dataTypes:
- CyfirmaCompromisedAccounts_CL
triggerOperator: gt
name: CYFIRMA - Customer Accounts Leaks Detection Rule
tactics:
- CredentialAccess
- InitialAccess
alertDetailsOverride:
alertDescriptionFormat: '{{description}}'
alertDynamicProperties:
- value: ProductName
alertProperty: ProductName
- value: ProviderName
alertProperty: ProviderName
alertDisplayNameFormat: Customer Leak - {{user_name}} - {{email}}
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyfirma Compromised Accounts/Analytic Rules/CustomerAccountsLeaksRule.yaml
triggerThreshold: 0
queryPeriod: 5m
query: |
// Customer Accounts Leaks - Latest per UID
let timeFrame = 5m;
CyfirmaCompromisedAccounts_CL
| where TimeGenerated between (ago(timeFrame) .. now())
and Category has "Customer Accounts Leaks"
| extend
ProviderName = 'CYFIRMA',
ProductName = 'DeCYFIR/DeTCT'
| summarize arg_max(TimeGenerated,
user_name,
email,
url,
password,
breach_date,
first_seen,
last_seen,
impact,
recommendations,
description,
source,
ProductName,
ProviderName
) by uid
| sort by TimeGenerated desc
status: Available
customDetails:
Description: description
TimeGenerated: TimeGenerated
Impact: impact
Source: source
FirstSeen: first_seen
LastSeen: last_seen
Recommendations: recommendations
UID: uid
BreachDate: breach_date
incidentConfiguration:
createIncident: true
groupingConfiguration:
lookbackDuration: PT5H
enabled: false
reopenClosedIncident: false
matchingMethod: AllEntities