CybleVision Alerts Stealer Logs
| Id | e0bf55c2-35ef-47ab-8846-5087618ae805 |
| Rulename | CybleVision Alerts Stealer Logs |
| Description | Detects credential theft and information-stealer malware logs. Extracts stolen credentials, URLs, device info, IPs, domains, and metadata using the Alerts_StealerLogs parser. |
| Severity | Low |
| Tactics | CredentialAccess Collection Exfiltration Reconnaissance InitialAccess |
| Techniques | T1555 T1005 T1041 T1589 T1189 |
| Required data connectors | CybleVisionAlerts |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 30m |
| Trigger threshold | 0 |
| Trigger operator | GreaterThan |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Stealer_Logs.yaml |
| Version | 1.0.0 |
| Arm template | e0bf55c2-35ef-47ab-8846-5087618ae805.json |
Alerts_stealer_logs
| where Service == "stealer_logs"
| extend MappedSeverity = Severity
queryPeriod: 30m
relevantTechniques:
- T1555
- T1005
- T1041
- T1589
- T1189
version: 1.0.0
query: |
Alerts_stealer_logs
| where Service == "stealer_logs"
| extend MappedSeverity = Severity
triggerThreshold: 0
tactics:
- CredentialAccess
- Collection
- Exfiltration
- Reconnaissance
- InitialAccess
id: e0bf55c2-35ef-47ab-8846-5087618ae805
triggerOperator: GreaterThan
enabled: true
eventGroupingSettings:
aggregationKind: AlertPerResult
alertDetailsOverride:
alertDisplayNameFormat: CybleVision Stealer Log Credential Exposure {{SL_MainUsername}}
alertDynamicProperties: []
alertDescriptionFormat: |
Stolen credentials detected in stealer logs. Malware Family {{SL_MalwareFamily}} URL {{SL_MainURL}} IP {{SL_IP}}
queryFrequency: 30m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Stealer_Logs.yaml
incidentConfiguration:
groupingConfiguration:
enabled: false
matchingMethod: AllEntities
lookbackDuration: PT5H
reopenClosedIncident: false
createIncident: true
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: SL_MainUsername
- entityType: URL
fieldMappings:
- identifier: Url
columnName: SL_MainURL
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SL_IP
- entityType: DNS
fieldMappings:
- identifier: DomainName
columnName: SL_Domain
suppressionDuration: PT5H
customDetails:
HWID: SL_HWID
Service: Service
MalwareFamily: SL_MalwareFamily
IP: SL_IP
ContentUsername: SL_Username_Content
AlertID: AlertID
App: SL_App
FileSize: SL_FileSize
FileName: SL_FileName
Domain: SL_Domain
Password: SL_Password
CompromisedDate: SL_CompromiseDate
MappedSeverity: Severity
Tags: SL_Tags
Status: Status
FileModified: SL_FileModified
FileCreated: SL_FileCreated
Country: SL_Country
ContentURL: SL_URL_Content
status: Available
subTechniques: []
kind: Scheduled
name: CybleVision Alerts Stealer Logs
severity: Low
requiredDataConnectors:
- dataTypes:
- CybleVisionAlerts_CL
connectorId: CybleVisionAlerts
description: |
'Detects credential theft and information-stealer malware logs. Extracts stolen credentials, URLs, device info, IPs, domains, and metadata using the Alerts_StealerLogs parser.'