Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cyble Vision Alerts Compromised Endpoint Cookies

Cyble Vision Alerts Compromised Endpoint Cookies

Back
Id33B07EAA-F451-4C38-AC9F-8AF3F7E99F0E
RulenameCyble Vision Alerts Compromised Endpoint Cookies
DescriptionDetects compromised browser cookies associated with monitored entities. Identifies exposed authentication cookies with future expiry, enabling potential session hijacking or persistent unauthorized access.
SeverityLow
TacticsCredentialAccess
DefenseEvasion
TechniquesT1539
T1550
Required data connectorsCybleVisionAlerts
KindScheduled
Query frequency30m
Query period30m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Compromised_Endpoints_Cookies.yaml
Version1.0.0
Arm template33B07EAA-F451-4C38-AC9F-8AF3F7E99F0E.json
Deploy To Azure
Alerts_compromised_endpoints_cookies
| where Service == "compromised_endpoints_cookies"
| extend MappedSeverity = Severity

customDetails:
  CookieEmail: CEC_Email
  CookieSessionID: CEC_SessionID
  CookieDomain: CEC_EmailDomain
  CookieURL: CEC_URL
  MappedSeverity: Severity
  AlertID: AlertID
  CookieExpiry: CEC_Expiry
  Service: Service
  Status: Status
id: 33B07EAA-F451-4C38-AC9F-8AF3F7E99F0E
name: Cyble Vision Alerts Compromised Endpoint Cookies
queryPeriod: 30m
requiredDataConnectors:
- connectorId: CybleVisionAlerts
  dataTypes:
  - CybleVisionAlerts_CL
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
    reopenClosedIncident: false
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Compromised_Endpoints_Cookies.yaml
query: |
  Alerts_compromised_endpoints_cookies
  | where Service == "compromised_endpoints_cookies"
  | extend MappedSeverity = Severity  
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques:
- T1539
- T1550
suppressionDuration: PT1H
entityMappings:
- entityType: Url
  fieldMappings:
  - identifier: Url
    columnName: CEC_URL
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: CEC_Email
enabled: true
severity: Low
kind: Scheduled
triggerThreshold: 0
triggerOperator: GreaterThan
tactics:
- CredentialAccess
- DefenseEvasion
status: Available
queryfrequency: 30m
alertDetailsOverride:
  alertDisplayNameFormat: Compromised Session Cookie {{CEC_Email}} {{CEC_URL}}
  alertDescriptionFormat: |
        A compromised browser session cookie associated with {{CEC_EmailDomain}} was detected for service {{CEC_URL}}. The cookie has not expired and may allow session hijacking. Session ID {{CEC_SessionID}}.
description: |
    'Detects compromised browser cookies associated with monitored entities. Identifies exposed authentication cookies with future expiry, enabling potential session hijacking or persistent unauthorized access.'