Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. CybleVision Alerts Mobile Apps

CybleVision Alerts Mobile Apps

Back
Id6d55fefc-b334-4b79-b11c-667746b5bdde
RulenameCybleVision Alerts Mobile Apps
DescriptionDetects suspicious, unauthorized or impersonating mobile applications from 3rd-party marketplaces using CybleVision data. Extracts metadata, screenshots, developer, package name, and detailed app attributes.
SeverityLow
TacticsReconnaissance
ResourceDevelopment
InitialAccess
TechniquesT1595
T1608
T1195
Required data connectorsCybleVisionAlerts
KindScheduled
Query frequency30m
Query period30m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Mobile_Apps.yaml
Version1.0.0
Arm template6d55fefc-b334-4b79-b11c-667746b5bdde.json
Deploy To Azure
Alerts_mobile_apps 
| where Service == "mobile_apps" 
| extend MappedSeverity = Severity

queryPeriod: 30m
severity: Low
description: |
    'Detects suspicious, unauthorized or impersonating mobile applications from 3rd-party marketplaces using CybleVision data. Extracts metadata, screenshots, developer, package name, and detailed app attributes.'
subTechniques: []
entityMappings:
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: MA_DeepLink
- entityType: DNS
  fieldMappings:
  - identifier: DomainName
    columnName: Domain
triggerOperator: GreaterThan
status: Available
tactics:
- Reconnaissance
- ResourceDevelopment
- InitialAccess
relevantTechniques:
- T1595
- T1608
- T1195
id: 6d55fefc-b334-4b79-b11c-667746b5bdde
triggerThreshold: 0
suppressionDuration: PT5H
queryFrequency: 30m
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: AllEntities
    enabled: false
  createIncident: true
enabled: true
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Mobile_Apps.yaml
query: |
  Alerts_mobile_apps 
  | where Service == "mobile_apps" 
  | extend MappedSeverity = Severity  
version: 1.0.0
customDetails:
  MarketURL: MA_MarketURL
  AlertID: AlertID
  Description: MA_Description
  Status: Status
  MarketUpdated: MA_MarketUpdated
  Developer: MA_Developer
  AppName: AppName
  PackageName: MA_PackageName
  AppEmail: MA_Email
  MappedSeverity: Severity
  CreatedOn: MA_Created
  Website: MA_Website
  IconURL: MA_MarketURL
  Downloads: MA_Downloads
  Tags: MA_Tags
  Screenshots: MA_Screenshots
  MarketStatus: MA_MarketStatus
  Version: MA_Version
  MarketSource: MA_MarketSource
  Service: Service
requiredDataConnectors:
- dataTypes:
  - CybleVisionAlerts_CL
  connectorId: CybleVisionAlerts
alertDetailsOverride:
  alertDynamicProperties: []
  alertDisplayNameFormat: CybleVision Suspicious Mobile App {{MA_Title}}
  alertDescriptionFormat: |
        A potentially suspicious mobile application was detected. Developer {{MA_Developer}} Market {{MA_MarketSource}} Deep Link {{MA_DeepLink}}\n
eventGroupingSettings:
  aggregationKind: AlertPerResult
name: CybleVision Alerts Mobile Apps
kind: Scheduled