CybleVision Alerts Mobile Apps

Back


Id	6d55fefc-b334-4b79-b11c-667746b5bdde
Rulename	CybleVision Alerts Mobile Apps
Description	Detects suspicious, unauthorized or impersonating mobile applications from 3rd-party marketplaces using CybleVision data. Extracts metadata, screenshots, developer, package name, and detailed app attributes.
Severity	Low
Tactics	Reconnaissance ResourceDevelopment InitialAccess
Techniques	T1595 T1608 T1195
Required data connectors	CybleVisionAlerts
Kind	Scheduled
Query frequency	30m
Query period	30m
Trigger threshold	0
Trigger operator	GreaterThan
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Mobile_Apps.yaml
Version	1.0.0
Arm template	6d55fefc-b334-4b79-b11c-667746b5bdde.json

KQL

Alerts_mobile_apps 
| where Service == "mobile_apps" 
| extend MappedSeverity = Severity

YAML

id: 6d55fefc-b334-4b79-b11c-667746b5bdde
enabled: true
relevantTechniques:
- T1595
- T1608
- T1195
suppressionDuration: PT5H
query: |
  Alerts_mobile_apps 
  | where Service == "mobile_apps" 
  | extend MappedSeverity = Severity  
entityMappings:
- fieldMappings:
  - identifier: Url
    columnName: MA_DeepLink
  entityType: URL
- fieldMappings:
  - identifier: DomainName
    columnName: Domain
  entityType: DNS
eventGroupingSettings:
  aggregationKind: AlertPerResult
requiredDataConnectors:
- dataTypes:
  - CybleVisionAlerts_CL
  connectorId: CybleVisionAlerts
triggerOperator: GreaterThan
queryFrequency: 30m
queryPeriod: 30m
status: Available
incidentConfiguration:
  groupingConfiguration:
    enabled: false
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
  createIncident: true
subTechniques: []
name: CybleVision Alerts Mobile Apps
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Mobile_Apps.yaml
description: |
    'Detects suspicious, unauthorized or impersonating mobile applications from 3rd-party marketplaces using CybleVision data. Extracts metadata, screenshots, developer, package name, and detailed app attributes.'
severity: Low
tactics:
- Reconnaissance
- ResourceDevelopment
- InitialAccess
triggerThreshold: 0
version: 1.0.0
alertDetailsOverride:
  alertDynamicProperties: []
  alertDisplayNameFormat: CybleVision Suspicious Mobile App {{MA_Title}}
  alertDescriptionFormat: |
        A potentially suspicious mobile application was detected. Developer {{MA_Developer}} Market {{MA_MarketSource}} Deep Link {{MA_DeepLink}}\n
customDetails:
  Screenshots: MA_Screenshots
  AppEmail: MA_Email
  Tags: MA_Tags
  Downloads: MA_Downloads
  AppName: AppName
  Status: Status
  MarketSource: MA_MarketSource
  Version: MA_Version
  MarketStatus: MA_MarketStatus
  MappedSeverity: Severity
  IconURL: MA_MarketURL
  MarketURL: MA_MarketURL
  Service: Service
  AlertID: AlertID
  PackageName: MA_PackageName
  MarketUpdated: MA_MarketUpdated
  CreatedOn: MA_Created
  Description: MA_Description
  Website: MA_Website
  Developer: MA_Developer

ARM