CybleVision Alerts Stealer Logs

Back


Id	e0bf55c2-35ef-47ab-8846-5087618ae805
Rulename	CybleVision Alerts Stealer Logs
Description	Detects credential theft and information-stealer malware logs. Extracts stolen credentials, URLs, device info, IPs, domains, and metadata using the Alerts_StealerLogs parser.
Severity	Low
Tactics	CredentialAccess Collection Exfiltration Reconnaissance InitialAccess
Techniques	T1555 T1005 T1041 T1589 T1189
Required data connectors	CybleVisionAlerts
Kind	Scheduled
Query frequency	30m
Query period	30m
Trigger threshold	0
Trigger operator	GreaterThan
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Stealer_Logs.yaml
Version	1.0.0
Arm template	e0bf55c2-35ef-47ab-8846-5087618ae805.json

KQL

Alerts_stealer_logs 
| where Service == "stealer_logs" 
| extend MappedSeverity = Severity

YAML

eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerThreshold: 0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: SL_MainUsername
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: SL_MainURL
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SL_IP
- entityType: DNS
  fieldMappings:
  - identifier: DomainName
    columnName: SL_Domain
requiredDataConnectors:
- dataTypes:
  - CybleVisionAlerts_CL
  connectorId: CybleVisionAlerts
subTechniques: []
enabled: true
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: PT5H
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Stealer_Logs.yaml
name: CybleVision Alerts Stealer Logs
alertDetailsOverride:
  alertDisplayNameFormat: CybleVision Stealer Log Credential Exposure {{SL_MainUsername}}
  alertDynamicProperties: []
  alertDescriptionFormat: |
        Stolen credentials detected in stealer logs. Malware Family {{SL_MalwareFamily}} URL {{SL_MainURL}} IP {{SL_IP}}
relevantTechniques:
- T1555
- T1005
- T1041
- T1589
- T1189
status: Available
version: 1.0.0
queryPeriod: 30m
customDetails:
  Domain: SL_Domain
  MappedSeverity: Severity
  ContentURL: SL_URL_Content
  Password: SL_Password
  FileModified: SL_FileModified
  FileName: SL_FileName
  ContentUsername: SL_Username_Content
  IP: SL_IP
  FileCreated: SL_FileCreated
  FileSize: SL_FileSize
  Status: Status
  App: SL_App
  HWID: SL_HWID
  AlertID: AlertID
  CompromisedDate: SL_CompromiseDate
  Country: SL_Country
  MalwareFamily: SL_MalwareFamily
  Service: Service
  Tags: SL_Tags
kind: Scheduled
id: e0bf55c2-35ef-47ab-8846-5087618ae805
query: |
  Alerts_stealer_logs 
  | where Service == "stealer_logs" 
  | extend MappedSeverity = Severity  
description: |
    'Detects credential theft and information-stealer malware logs. Extracts stolen credentials, URLs, device info, IPs, domains, and metadata using the Alerts_StealerLogs parser.'
queryFrequency: 30m
suppressionDuration: PT5H
triggerOperator: GreaterThan
tactics:
- CredentialAccess
- Collection
- Exfiltration
- Reconnaissance
- InitialAccess
severity: Low

ARM