diff --git a/Solutions/Business Email Compromise - Financial Fraud/Analytic Rules/BEC_MailboxRule.yaml b/Solutions/Business Email Compromise - Financial Fraud/Analytic Rules/BEC_MailboxRule.yaml index 3abef7dcc9a..915537c4302 100644 --- a/Solutions/Business Email Compromise - Financial Fraud/Analytic Rules/BEC_MailboxRule.yaml +++ b/Solutions/Business Email Compromise - Financial Fraud/Analytic Rules/BEC_MailboxRule.yaml @@ -21,7 +21,7 @@ relevantTechniques: tags: - BEC query: | - let BEC_Keywords = dynamic(['invoice','invoices','payment','payroll','paycheck','transfer','bank statement','bank details','wire','closing','funds','bank account','account details','iban','ACH','remit','remittance','purchase','deposit','pro-forma','bank',"platnosc","PO#","Zahlung","Rechnung","Paiement", "virement bancaire","Bankuberweisung","virement","hacked","phishing","payrollhelpdesk","direct deposit", "doc"]); + let BEC_Keywords = dynamic([ 'invoice','payment','paycheck','transfer','bank statement','bank details','closing','funds','bank account','account details','remittance','purchase','deposit',"PO#","Zahlung","Rechnung","Paiement", "virement bancaire","Bankuberweisung",'hacked','phishing']); OfficeActivity | where Operation =~ "New-InboxRule" | where Parameters has "Deleted Items" or Parameters has "Junk Email" or Parameters has "DeleteMessage" @@ -48,5 +48,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: ClientIPAddress -version: 1.0.0 +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Business Email Compromise - Financial Fraud/Analytic Rules/SuspiciousAccessOfBECRelatedDocuments.yaml b/Solutions/Business Email Compromise - Financial Fraud/Analytic Rules/SuspiciousAccessOfBECRelatedDocuments.yaml index 6a5973e9113..b66382311fd 100644 --- a/Solutions/Business Email Compromise - Financial Fraud/Analytic Rules/SuspiciousAccessOfBECRelatedDocuments.yaml +++ b/Solutions/Business Email Compromise - Financial Fraud/Analytic Rules/SuspiciousAccessOfBECRelatedDocuments.yaml @@ -16,7 +16,7 @@ relevantTechniques: eventGroupingSettings: aggregationKind: SingleAlert query: | - let BEC_Keywords = dynamic(['invoice','invoices','payment','payroll','paycheck','transfer','bank statement','bank details','wire','closing','funds','bank account','account details','iban','ACH','remit','remittance','purchase','deposit','pro-forma','bank',"platnosc","PO#","Zahlung","Rechnung","Paiement", "virement bancaire","Bankuberweisung","virement","hacked","phishing","payrollhelpdesk","direct deposit", "doc"]); + let BEC_Keywords = dynamic([ 'invoice','payment','paycheck','transfer','bank statement','bank details','closing','funds','bank account','account details','remittance','purchase','deposit',"PO#","Zahlung","Rechnung","Paiement", "virement bancaire","Bankuberweisung",'hacked','phishing']); // Adjust this threshold based on your environment let sensitivity = 2.5; let Events = materialize(imFileEvent @@ -70,5 +70,5 @@ alertDetailsOverride: alertDescriptionFormat: | This query looks for users (in this case {{User}}) with suspicious spikes in the number of files accessed (in this case {{number_of_files_accessed}} events) that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks. The query looks for access to files in storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need. This query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities. This query uses the imFileEvent schema from ASIM, you will first need to ensure you have ASIM deployed in your environment. Ref https://learn.microsoft.com/azure/sentinel/normalization-about-parsers -version: 1.0.0 +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Business Email Compromise - Financial Fraud/Analytic Rules/SuspiciousAccessOfBECRelatedDocumentsInAWSS3Buckets.yaml b/Solutions/Business Email Compromise - Financial Fraud/Analytic Rules/SuspiciousAccessOfBECRelatedDocumentsInAWSS3Buckets.yaml index 6eb01a318ea..001069c6a8c 100644 --- a/Solutions/Business Email Compromise - Financial Fraud/Analytic Rules/SuspiciousAccessOfBECRelatedDocumentsInAWSS3Buckets.yaml +++ b/Solutions/Business Email Compromise - Financial Fraud/Analytic Rules/SuspiciousAccessOfBECRelatedDocumentsInAWSS3Buckets.yaml @@ -19,7 +19,7 @@ relevantTechniques: eventGroupingSettings: aggregationKind: SingleAlert query: | - let BEC_Keywords = dynamic(['invoice','invoices','payment','payroll','paycheck','transfer','bank statement','bank details','wire','closing','funds','bank account','account details','iban','ACH','remit','remittance','purchase','deposit','pro-forma','bank',"platnosc","PO#","Zahlung","Rechnung","Paiement", "virement bancaire","Bankuberweisung","virement","hacked","phishing","payrollhelpdesk","direct deposit"]); + let BEC_Keywords = dynamic([ 'invoice','payment','paycheck','transfer','bank statement','bank details','closing','funds','bank account','account details','remittance','purchase','deposit',"PO#","Zahlung","Rechnung","Paiement", "virement bancaire","Bankuberweisung",'hacked','phishing']); // Adjust this threshold based on your environment let sensitivity = 2.5; let Events = materialize(AWSCloudTrail @@ -61,5 +61,5 @@ alertDetailsOverride: alertDescriptionFormat: | This query looks for users (in this case {{UserIdentityUserName}}) with suspicious spikes in the number of files accessed (in this case {{CountOfDocs}})that relate to topics commonly accessed as part of Business Email Compromise (BEC) attacks. The query looks for access to files in AWS S3 storage that relate to topics such as invoices or payments, and then looks for users accessing these files in significantly higher numbers than in the previous 14 days. Incidents raised by this analytic should be investigated to see if the user accessing these files should be accessing them, and if the volume they accessed them at was related to a legitimate business need. This query contains thresholds to reduce the chance of false positives, these can be adjusted to suit individual environments. In addition false positives could be generated by legitimate, scheduled actions that occur less often than every 14 days, additional exclusions can be added for these actions on username or IP address entities. -version: 1.0.1 +version: 1.0.2 kind: Scheduled