Cyble Vision Alerts Compromised Files

Alerts_compromised_files  
| where Service == "compromised_files" 
| extend MappedSeverity = Severity

customDetails:
  Status: Status
  CF_Filename: CF_Filename
  Service: Service
  CF_LogObjPath: CF_LogObjPath
  CF_PrimaryEmail: CF_PrimaryEmail
  MappedSeverity: Severity
  AlertID: AlertID
  CF_FileObjPath: CF_FileObjPath
severity: Low
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Compromised_Files.yaml
query: |
  Alerts_compromised_files  
  | where Service == "compromised_files" 
  | extend MappedSeverity = Severity  
requiredDataConnectors:
- dataTypes:
  - CybleVisionAlerts_CL
  connectorId: CybleVisionAlerts
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    enabled: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
  createIncident: true
relevantTechniques:
- T1552
- T1041
kind: Scheduled
name: Cyble Vision Alerts Compromised Files
tactics:
- CredentialAccess
- Exfiltration
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: CF_PrimaryEmail
  entityType: Account
enabled: true
queryfrequency: 30m
description: |
    'Detects compromised files containing credential or logon data (stealer logs) related to monitored entities. Uses Alerts_compromised_files parser to expose file paths, log objects, and extracted email identifiers.'
alertDetailsOverride:
  alertDisplayNameFormat: Compromised Credentials File {{CF_Filename}}
  alertDescriptionFormat: |
        A compromised file containing potential credential or logon data was discovered. Relative path {{CF_RelativePath}}. Log object path {{CF_LogObjPath}}. Primary email (if found) {{CF_PrimaryEmail}}.
triggerThreshold: 0
triggerOperator: GreaterThan
version: 1.0.0
queryPeriod: 30m
id: 0f6a8287-09ee-4f82-b8c3-e35c4ac6212e