CybleVision Alerts Stealer Logs
| Id | e0bf55c2-35ef-47ab-8846-5087618ae805 |
| Rulename | CybleVision Alerts Stealer Logs |
| Description | Detects credential theft and information-stealer malware logs. Extracts stolen credentials, URLs, device info, IPs, domains, and metadata using the Alerts_StealerLogs parser. |
| Severity | Low |
| Tactics | CredentialAccess Collection Exfiltration Reconnaissance InitialAccess |
| Techniques | T1555 T1005 T1041 T1589 T1189 |
| Required data connectors | CybleVisionAlerts |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 30m |
| Trigger threshold | 0 |
| Trigger operator | GreaterThan |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Stealer_Logs.yaml |
| Version | 1.0.0 |
| Arm template | e0bf55c2-35ef-47ab-8846-5087618ae805.json |
Alerts_stealer_logs
| where Service == "stealer_logs"
| extend MappedSeverity = Severity
subTechniques: []
description: |
'Detects credential theft and information-stealer malware logs. Extracts stolen credentials, URLs, device info, IPs, domains, and metadata using the Alerts_StealerLogs parser.'
version: 1.0.0
queryPeriod: 30m
customDetails:
Status: Status
ContentUsername: SL_Username_Content
AlertID: AlertID
Password: SL_Password
FileSize: SL_FileSize
App: SL_App
FileName: SL_FileName
MalwareFamily: SL_MalwareFamily
FileModified: SL_FileModified
Tags: SL_Tags
CompromisedDate: SL_CompromiseDate
FileCreated: SL_FileCreated
ContentURL: SL_URL_Content
HWID: SL_HWID
Country: SL_Country
Service: Service
MappedSeverity: Severity
IP: SL_IP
Domain: SL_Domain
status: Available
id: e0bf55c2-35ef-47ab-8846-5087618ae805
enabled: true
tactics:
- CredentialAccess
- Collection
- Exfiltration
- Reconnaissance
- InitialAccess
entityMappings:
- entityType: Account
fieldMappings:
- columnName: SL_MainUsername
identifier: Name
- entityType: URL
fieldMappings:
- columnName: SL_MainURL
identifier: Url
- entityType: IP
fieldMappings:
- columnName: SL_IP
identifier: Address
- entityType: DNS
fieldMappings:
- columnName: SL_Domain
identifier: DomainName
alertDetailsOverride:
alertDynamicProperties: []
alertDescriptionFormat: |
Stolen credentials detected in stealer logs. Malware Family {{SL_MalwareFamily}} URL {{SL_MainURL}} IP {{SL_IP}}
alertDisplayNameFormat: CybleVision Stealer Log Credential Exposure {{SL_MainUsername}}
name: CybleVision Alerts Stealer Logs
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
matchingMethod: AllEntities
enabled: false
lookbackDuration: PT5H
createIncident: true
eventGroupingSettings:
aggregationKind: AlertPerResult
queryFrequency: 30m
suppressionDuration: PT5H
triggerThreshold: 0
triggerOperator: GreaterThan
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Stealer_Logs.yaml
kind: Scheduled
relevantTechniques:
- T1555
- T1005
- T1041
- T1589
- T1189
query: |
Alerts_stealer_logs
| where Service == "stealer_logs"
| extend MappedSeverity = Severity
severity: Low
requiredDataConnectors:
- connectorId: CybleVisionAlerts
dataTypes:
- CybleVisionAlerts_CL