CybleVision Alerts Stealer Logs
| Id | e0bf55c2-35ef-47ab-8846-5087618ae805 |
| Rulename | CybleVision Alerts Stealer Logs |
| Description | Detects credential theft and information-stealer malware logs. Extracts stolen credentials, URLs, device info, IPs, domains, and metadata using the Alerts_StealerLogs parser. |
| Severity | Low |
| Tactics | CredentialAccess Collection Exfiltration Reconnaissance InitialAccess |
| Techniques | T1555 T1005 T1041 T1589 T1189 |
| Required data connectors | CybleVisionAlerts |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 30m |
| Trigger threshold | 0 |
| Trigger operator | GreaterThan |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Stealer_Logs.yaml |
| Version | 1.0.0 |
| Arm template | e0bf55c2-35ef-47ab-8846-5087618ae805.json |
Alerts_stealer_logs
| where Service == "stealer_logs"
| extend MappedSeverity = Severity
eventGroupingSettings:
aggregationKind: AlertPerResult
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Stealer_Logs.yaml
query: |
Alerts_stealer_logs
| where Service == "stealer_logs"
| extend MappedSeverity = Severity
enabled: true
version: 1.0.0
queryFrequency: 30m
id: e0bf55c2-35ef-47ab-8846-5087618ae805
requiredDataConnectors:
- dataTypes:
- CybleVisionAlerts_CL
connectorId: CybleVisionAlerts
name: CybleVision Alerts Stealer Logs
description: |
'Detects credential theft and information-stealer malware logs. Extracts stolen credentials, URLs, device info, IPs, domains, and metadata using the Alerts_StealerLogs parser.'
incidentConfiguration:
groupingConfiguration:
matchingMethod: AllEntities
lookbackDuration: PT5H
enabled: false
reopenClosedIncident: false
createIncident: true
triggerOperator: GreaterThan
suppressionDuration: PT5H
queryPeriod: 30m
alertDetailsOverride:
alertDynamicProperties: []
alertDescriptionFormat: |
Stolen credentials detected in stealer logs. Malware Family {{SL_MalwareFamily}} URL {{SL_MainURL}} IP {{SL_IP}}
alertDisplayNameFormat: CybleVision Stealer Log Credential Exposure {{SL_MainUsername}}
tactics:
- CredentialAccess
- Collection
- Exfiltration
- Reconnaissance
- InitialAccess
status: Available
severity: Low
relevantTechniques:
- T1555
- T1005
- T1041
- T1589
- T1189
subTechniques: []
customDetails:
Tags: SL_Tags
MalwareFamily: SL_MalwareFamily
Service: Service
MappedSeverity: Severity
Password: SL_Password
App: SL_App
FileModified: SL_FileModified
CompromisedDate: SL_CompromiseDate
ContentUsername: SL_Username_Content
FileCreated: SL_FileCreated
FileSize: SL_FileSize
Domain: SL_Domain
Status: Status
AlertID: AlertID
ContentURL: SL_URL_Content
FileName: SL_FileName
IP: SL_IP
HWID: SL_HWID
Country: SL_Country
triggerThreshold: 0
entityMappings:
- entityType: Account
fieldMappings:
- columnName: SL_MainUsername
identifier: Name
- entityType: URL
fieldMappings:
- columnName: SL_MainURL
identifier: Url
- entityType: IP
fieldMappings:
- columnName: SL_IP
identifier: Address
- entityType: DNS
fieldMappings:
- columnName: SL_Domain
identifier: DomainName