CybleVision Alerts Stealer Logs

Back


Id	e0bf55c2-35ef-47ab-8846-5087618ae805
Rulename	CybleVision Alerts Stealer Logs
Description	Detects credential theft and information-stealer malware logs. Extracts stolen credentials, URLs, device info, IPs, domains, and metadata using the Alerts_StealerLogs parser.
Severity	Low
Tactics	CredentialAccess Collection Exfiltration Reconnaissance InitialAccess
Techniques	T1555 T1005 T1041 T1589 T1189
Required data connectors	CybleVisionAlerts
Kind	Scheduled
Query frequency	30m
Query period	30m
Trigger threshold	0
Trigger operator	GreaterThan
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Stealer_Logs.yaml
Version	1.0.0
Arm template	e0bf55c2-35ef-47ab-8846-5087618ae805.json

KQL

Alerts_stealer_logs 
| where Service == "stealer_logs" 
| extend MappedSeverity = Severity

YAML

suppressionDuration: PT5H
status: Available
subTechniques: []
queryPeriod: 30m
triggerOperator: GreaterThan
eventGroupingSettings:
  aggregationKind: AlertPerResult
enabled: true
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Stealer_Logs.yaml
queryFrequency: 30m
tactics:
- CredentialAccess
- Collection
- Exfiltration
- Reconnaissance
- InitialAccess
triggerThreshold: 0
query: |
  Alerts_stealer_logs 
  | where Service == "stealer_logs" 
  | extend MappedSeverity = Severity  
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: SL_MainUsername
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: SL_MainURL
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SL_IP
- entityType: DNS
  fieldMappings:
  - identifier: DomainName
    columnName: SL_Domain
requiredDataConnectors:
- connectorId: CybleVisionAlerts
  dataTypes:
  - CybleVisionAlerts_CL
alertDetailsOverride:
  alertDescriptionFormat: |
        Stolen credentials detected in stealer logs. Malware Family {{SL_MalwareFamily}} URL {{SL_MainURL}} IP {{SL_IP}}
  alertDisplayNameFormat: CybleVision Stealer Log Credential Exposure {{SL_MainUsername}}
  alertDynamicProperties: []
relevantTechniques:
- T1555
- T1005
- T1041
- T1589
- T1189
customDetails:
  Status: Status
  IP: SL_IP
  FileCreated: SL_FileCreated
  CompromisedDate: SL_CompromiseDate
  App: SL_App
  Country: SL_Country
  ContentURL: SL_URL_Content
  HWID: SL_HWID
  Password: SL_Password
  MappedSeverity: Severity
  ContentUsername: SL_Username_Content
  FileSize: SL_FileSize
  Domain: SL_Domain
  Tags: SL_Tags
  MalwareFamily: SL_MalwareFamily
  FileName: SL_FileName
  FileModified: SL_FileModified
  AlertID: AlertID
  Service: Service
description: |
    'Detects credential theft and information-stealer malware logs. Extracts stolen credentials, URLs, device info, IPs, domains, and metadata using the Alerts_StealerLogs parser.'
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: AllEntities
    reopenClosedIncident: false
    lookbackDuration: PT5H
    enabled: false
  createIncident: true
name: CybleVision Alerts Stealer Logs
version: 1.0.0
kind: Scheduled
id: e0bf55c2-35ef-47ab-8846-5087618ae805
severity: Low

ARM