CybleVision Alerts Stealer Logs
| Id | e0bf55c2-35ef-47ab-8846-5087618ae805 |
| Rulename | CybleVision Alerts Stealer Logs |
| Description | Detects credential theft and information-stealer malware logs. Extracts stolen credentials, URLs, device info, IPs, domains, and metadata using the Alerts_StealerLogs parser. |
| Severity | Low |
| Tactics | CredentialAccess Collection Exfiltration Reconnaissance InitialAccess |
| Techniques | T1555 T1005 T1041 T1589 T1189 |
| Required data connectors | CybleVisionAlerts |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 30m |
| Trigger threshold | 0 |
| Trigger operator | GreaterThan |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Stealer_Logs.yaml |
| Version | 1.0.0 |
| Arm template | e0bf55c2-35ef-47ab-8846-5087618ae805.json |
Alerts_stealer_logs
| where Service == "stealer_logs"
| extend MappedSeverity = Severity
triggerOperator: GreaterThan
incidentConfiguration:
groupingConfiguration:
matchingMethod: AllEntities
enabled: false
reopenClosedIncident: false
lookbackDuration: PT5H
createIncident: true
requiredDataConnectors:
- connectorId: CybleVisionAlerts
dataTypes:
- CybleVisionAlerts_CL
relevantTechniques:
- T1555
- T1005
- T1041
- T1589
- T1189
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: SL_MainUsername
- entityType: URL
fieldMappings:
- identifier: Url
columnName: SL_MainURL
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SL_IP
- entityType: DNS
fieldMappings:
- identifier: DomainName
columnName: SL_Domain
query: |
Alerts_stealer_logs
| where Service == "stealer_logs"
| extend MappedSeverity = Severity
triggerThreshold: 0
customDetails:
FileName: SL_FileName
ContentURL: SL_URL_Content
HWID: SL_HWID
Password: SL_Password
CompromisedDate: SL_CompromiseDate
IP: SL_IP
Country: SL_Country
ContentUsername: SL_Username_Content
MalwareFamily: SL_MalwareFamily
FileCreated: SL_FileCreated
MappedSeverity: Severity
Service: Service
Status: Status
Domain: SL_Domain
Tags: SL_Tags
App: SL_App
FileModified: SL_FileModified
FileSize: SL_FileSize
AlertID: AlertID
alertDetailsOverride:
alertDynamicProperties: []
alertDisplayNameFormat: CybleVision Stealer Log Credential Exposure {{SL_MainUsername}}
alertDescriptionFormat: |
Stolen credentials detected in stealer logs. Malware Family {{SL_MalwareFamily}} URL {{SL_MainURL}} IP {{SL_IP}}
subTechniques: []
queryPeriod: 30m
tactics:
- CredentialAccess
- Collection
- Exfiltration
- Reconnaissance
- InitialAccess
name: CybleVision Alerts Stealer Logs
description: |
'Detects credential theft and information-stealer malware logs. Extracts stolen credentials, URLs, device info, IPs, domains, and metadata using the Alerts_StealerLogs parser.'
kind: Scheduled
enabled: true
id: e0bf55c2-35ef-47ab-8846-5087618ae805
version: 1.0.0
eventGroupingSettings:
aggregationKind: AlertPerResult
queryFrequency: 30m
severity: Low
status: Available
suppressionDuration: PT5H
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Stealer_Logs.yaml