CybleVision Alerts Stealer Logs
| Id | e0bf55c2-35ef-47ab-8846-5087618ae805 |
| Rulename | CybleVision Alerts Stealer Logs |
| Description | Detects credential theft and information-stealer malware logs. Extracts stolen credentials, URLs, device info, IPs, domains, and metadata using the Alerts_StealerLogs parser. |
| Severity | Low |
| Tactics | CredentialAccess Collection Exfiltration Reconnaissance InitialAccess |
| Techniques | T1555 T1005 T1041 T1589 T1189 |
| Required data connectors | CybleVisionAlerts |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 30m |
| Trigger threshold | 0 |
| Trigger operator | GreaterThan |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Stealer_Logs.yaml |
| Version | 1.0.0 |
| Arm template | e0bf55c2-35ef-47ab-8846-5087618ae805.json |
Alerts_stealer_logs
| where Service == "stealer_logs"
| extend MappedSeverity = Severity
incidentConfiguration:
createIncident: true
groupingConfiguration:
matchingMethod: AllEntities
lookbackDuration: PT5H
reopenClosedIncident: false
enabled: false
requiredDataConnectors:
- dataTypes:
- CybleVisionAlerts_CL
connectorId: CybleVisionAlerts
relevantTechniques:
- T1555
- T1005
- T1041
- T1589
- T1189
triggerOperator: GreaterThan
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Stealer_Logs.yaml
customDetails:
Service: Service
Domain: SL_Domain
FileCreated: SL_FileCreated
ContentUsername: SL_Username_Content
CompromisedDate: SL_CompromiseDate
HWID: SL_HWID
FileSize: SL_FileSize
Country: SL_Country
ContentURL: SL_URL_Content
App: SL_App
FileModified: SL_FileModified
MappedSeverity: Severity
IP: SL_IP
Status: Status
Tags: SL_Tags
AlertID: AlertID
FileName: SL_FileName
Password: SL_Password
MalwareFamily: SL_MalwareFamily
queryFrequency: 30m
severity: Low
subTechniques: []
triggerThreshold: 0
suppressionDuration: PT5H
entityMappings:
- fieldMappings:
- columnName: SL_MainUsername
identifier: Name
entityType: Account
- fieldMappings:
- columnName: SL_MainURL
identifier: Url
entityType: URL
- fieldMappings:
- columnName: SL_IP
identifier: Address
entityType: IP
- fieldMappings:
- columnName: SL_Domain
identifier: DomainName
entityType: DNS
alertDetailsOverride:
alertDynamicProperties: []
alertDescriptionFormat: |
Stolen credentials detected in stealer logs. Malware Family {{SL_MalwareFamily}} URL {{SL_MainURL}} IP {{SL_IP}}
alertDisplayNameFormat: CybleVision Stealer Log Credential Exposure {{SL_MainUsername}}
name: CybleVision Alerts Stealer Logs
query: |
Alerts_stealer_logs
| where Service == "stealer_logs"
| extend MappedSeverity = Severity
version: 1.0.0
tactics:
- CredentialAccess
- Collection
- Exfiltration
- Reconnaissance
- InitialAccess
queryPeriod: 30m
description: |
'Detects credential theft and information-stealer malware logs. Extracts stolen credentials, URLs, device info, IPs, domains, and metadata using the Alerts_StealerLogs parser.'
kind: Scheduled
id: e0bf55c2-35ef-47ab-8846-5087618ae805
enabled: true
eventGroupingSettings:
aggregationKind: AlertPerResult
status: Available