Cyble Vision Alerts Compromised Files

Alerts_compromised_files  
| where Service == "compromised_files" 
| extend MappedSeverity = Severity

name: Cyble Vision Alerts Compromised Files
alertDetailsOverride:
  alertDisplayNameFormat: Compromised Credentials File {{CF_Filename}}
  alertDescriptionFormat: |
        A compromised file containing potential credential or logon data was discovered. Relative path {{CF_RelativePath}}. Log object path {{CF_LogObjPath}}. Primary email (if found) {{CF_PrimaryEmail}}.
id: 0f6a8287-09ee-4f82-b8c3-e35c4ac6212e
enabled: true
entityMappings:
- fieldMappings:
  - columnName: CF_PrimaryEmail
    identifier: FullName
  entityType: Account
version: 1.0.0
triggerOperator: GreaterThan
query: |
  Alerts_compromised_files  
  | where Service == "compromised_files" 
  | extend MappedSeverity = Severity  
description: |
    'Detects compromised files containing credential or logon data (stealer logs) related to monitored entities. Uses Alerts_compromised_files parser to expose file paths, log objects, and extracted email identifiers.'
kind: Scheduled
queryfrequency: 30m
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Compromised_Files.yaml
severity: Low
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: PT5H
    reopenClosedIncident: false
    matchingMethod: AllEntities
    enabled: false
queryPeriod: 30m
requiredDataConnectors:
- dataTypes:
  - CybleVisionAlerts_CL
  connectorId: CybleVisionAlerts
status: Available
customDetails:
  AlertID: AlertID
  Service: Service
  CF_PrimaryEmail: CF_PrimaryEmail
  CF_LogObjPath: CF_LogObjPath
  CF_Filename: CF_Filename
  CF_FileObjPath: CF_FileObjPath
  Status: Status
  MappedSeverity: Severity
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1552
- T1041
tactics:
- CredentialAccess
- Exfiltration