Business Email Compromise: Fixed Alert Display Variable Reference

What Changed

Fixed alert display format in the SuspiciousAccessOfBECRelatedDocuments analytic rule to reference the correct variable name CountOfDocs instead of the undefined number_of_files_accessed variable.

Detection Logic

Primary data source: imFileEvent (ASIM File Events schema)
Core logic: Detects users with suspicious spikes in BEC-related document access (invoices, payments) compared to 14-day baseline
Entity types mapped: Account, IP, File, CloudApplication
Alert format: Now correctly displays actual count of documents accessed in alert title and description

MITRE Mapping

KQL logic unavailable — YAML not included in diff context.

Affected Files

Solutions/Business Email Compromise - Financial Fraud/Analytic Rules/SuspiciousAccessOfBECRelatedDocuments.yaml
(packaging artefacts: Solution_Business Email Compromise - Financial Fraud.json, 3.0.10.zip, createUiDefinition.json, mainTemplate.json, ReleaseNotes.md)

What Changed#

Detection Logic#

MITRE Mapping#

Affected Files#

What Changed

Detection Logic

MITRE Mapping

Affected Files