CybleVision Alerts Mobile Apps

Back


Id	6d55fefc-b334-4b79-b11c-667746b5bdde
Rulename	CybleVision Alerts Mobile Apps
Description	Detects suspicious, unauthorized or impersonating mobile applications from 3rd-party marketplaces using CybleVision data. Extracts metadata, screenshots, developer, package name, and detailed app attributes.
Severity	Low
Tactics	Reconnaissance ResourceDevelopment InitialAccess
Techniques	T1595 T1608 T1195
Required data connectors	CybleVisionAlerts
Kind	Scheduled
Query frequency	30m
Query period	30m
Trigger threshold	0
Trigger operator	GreaterThan
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Mobile_Apps.yaml
Version	1.0.0
Arm template	6d55fefc-b334-4b79-b11c-667746b5bdde.json

KQL

Alerts_mobile_apps 
| where Service == "mobile_apps" 
| extend MappedSeverity = Severity

YAML

suppressionDuration: PT5H
name: CybleVision Alerts Mobile Apps
enabled: true
severity: Low
description: |
    'Detects suspicious, unauthorized or impersonating mobile applications from 3rd-party marketplaces using CybleVision data. Extracts metadata, screenshots, developer, package name, and detailed app attributes.'
subTechniques: []
customDetails:
  Tags: MA_Tags
  Developer: MA_Developer
  AppEmail: MA_Email
  Description: MA_Description
  MarketUpdated: MA_MarketUpdated
  IconURL: MA_MarketURL
  Downloads: MA_Downloads
  Version: MA_Version
  MarketStatus: MA_MarketStatus
  Service: Service
  Status: Status
  Screenshots: MA_Screenshots
  AppName: AppName
  CreatedOn: MA_Created
  PackageName: MA_PackageName
  MarketSource: MA_MarketSource
  MarketURL: MA_MarketURL
  AlertID: AlertID
  MappedSeverity: Severity
  Website: MA_Website
requiredDataConnectors:
- dataTypes:
  - CybleVisionAlerts_CL
  connectorId: CybleVisionAlerts
tactics:
- Reconnaissance
- ResourceDevelopment
- InitialAccess
relevantTechniques:
- T1595
- T1608
- T1195
entityMappings:
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: MA_DeepLink
- entityType: DNS
  fieldMappings:
  - identifier: DomainName
    columnName: Domain
triggerThreshold: 0
status: Available
queryPeriod: 30m
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: AllEntities
    enabled: false
  createIncident: true
version: 1.0.0
alertDetailsOverride:
  alertDescriptionFormat: |
        A potentially suspicious mobile application was detected. Developer {{MA_Developer}} Market {{MA_MarketSource}} Deep Link {{MA_DeepLink}}\n
  alertDisplayNameFormat: CybleVision Suspicious Mobile App {{MA_Title}}
  alertDynamicProperties: []
id: 6d55fefc-b334-4b79-b11c-667746b5bdde
query: |
  Alerts_mobile_apps 
  | where Service == "mobile_apps" 
  | extend MappedSeverity = Severity  
triggerOperator: GreaterThan
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 30m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Mobile_Apps.yaml
kind: Scheduled

ARM