Skip to content

Major version update for the Flare Sentinel Solution (3.0.0) #13301

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
v-atulyadav merged 1 commit into from
Jan 23, 2026
Merged

Major version update for the Flare Sentinel Solution (3.0.0) #13301

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
173 changes: 173 additions & 0 deletions .script/tests/KqlvalidationsTests/CustomTables/FireworkV2_CL.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,173 @@
{
"Name": "FireworkV2_CL",
"Properties": [
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "EventVendor",
"Type": "String"
},
{
"Name": "EventProduct",
"Type": "String"
},
{
"Name": "EventSchemaVersion",
"Type": "String"
},
{
"Name": "EventSeverity",
"Type": "String"
},
{
"Name": "EventOriginalUid",
"Type": "String"
},
{
"Name": "EventOriginalType",
"Type": "String"
},
{
"Name": "RiskScore",
"Type": "Int"
},
{
"Name": "Url",
"Type": "String"
},
{
"Name": "timestamp",
"Type": "String"
},
{
"Name": "timestamp_formatted",
"Type": "String"
},
{
"Name": "first_crawled_at",
"Type": "String"
},
{
"Name": "materialized_at",
"Type": "String"
},
{
"Name": "url",
"Type": "String"
},
{
"Name": "event_title",
"Type": "String"
},
{
"Name": "event_type",
"Type": "String"
},
{
"Name": "source",
"Type": "String"
},
{
"Name": "source_name",
"Type": "String"
},
{
"Name": "id",
"Type": "String"
},
{
"Name": "keyword",
"Type": "String"
},
{
"Name": "category_name",
"Type": "String"
},
{
"Name": "content_preview",
"Type": "dynamic"
},
{
"Name": "content",
"Type": "String"
},
{
"Name": "alert_content",
"Type": "String"
},
{
"Name": "highlights",
"Type": "dynamic"
},
{
"Name": "risk",
"Type": "dynamic"
},
{
"Name": "tags",
"Type": "dynamic"
},
{
"Name": "related",
"Type": "dynamic"
},
{
"Name": "user_risk_score",
"Type": "int"
},
{
"Name": "user_notes",
"Type": "String"
},
{
"Name": "data",
"Type": "dynamic"
},
{
"Name": "uid",
"Type": "String"
},
{
"Name": "external_url",
"Type": "String"
},
{
"Name": "identifiers",
"Type": "dynamic"
},
{
"Name": "sort",
"Type": "String"
},
{
"Name": "asset_uuids",
"Type": "dynamic"
},
{
"Name": "code",
"Type": "dynamic"
},
{
"Name": "author_id",
"Type": "String"
},
{
"Name": "project_name",
"Type": "String"
},
{
"Name": "sha",
"Type": "String"
},
{
"Name": "actor",
"Type": "String"
},
{
"Name": "victim_name",
"Type": "String"
}
]
}
10 changes: 5 additions & 5 deletions Solutions/Flare/Analytic Rules/FlareCloudBucket.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ status: Available
requiredDataConnectors:
- connectorId: Flare
dataTypes:
- Firework_CL
- FireworkV2_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
Expand All @@ -17,7 +17,7 @@ tactics:
relevantTechniques:
- T1593
query: |
Firework_CL
| where source_s contains "Grayhat_warfare" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
version: 1.0.1
kind: Scheduled
FireworkV2_CL
| where tolower(source) contains "grayhat_warfare" and (RiskScore == 3 or RiskScore == 4 or RiskScore == 5)
version: 2.0.0
kind: Scheduled
10 changes: 5 additions & 5 deletions Solutions/Flare/Analytic Rules/FlareCredentialLeaks.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ status: Available
requiredDataConnectors:
- connectorId: Flare
dataTypes:
- Firework_CL
- FireworkV2_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
Expand All @@ -17,7 +17,7 @@ tactics:
relevantTechniques:
- T1110
query: |
Firework_CL
| where notempty(data_new_leaks_s) and source_s != 'stealer_logs_samples'
version: 1.0.2
kind: Scheduled
FireworkV2_CL
| where notempty(data.new_leaks) and tolower(source) != 'stealer_logs_samples'
version: 2.0.0
kind: Scheduled
23 changes: 0 additions & 23 deletions Solutions/Flare/Analytic Rules/FlareDarkweb.yaml
View file
Open in desktop

This file was deleted.

10 changes: 5 additions & 5 deletions Solutions/Flare/Analytic Rules/FlareDork.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ status: Available
requiredDataConnectors:
- connectorId: Flare
dataTypes:
- Firework_CL
- FireworkV2_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
Expand All @@ -17,7 +17,7 @@ tactics:
relevantTechniques:
- T1593
query: |
Firework_CL
| where source_s contains "google_search" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
version: 1.0.1
kind: Scheduled
FireworkV2_CL
| where tolower(source) contains "google_search" and (RiskScore == 3 or RiskScore == 4 or RiskScore == 5)
version: 2.0.0
kind: Scheduled
10 changes: 5 additions & 5 deletions Solutions/Flare/Analytic Rules/FlareHost.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ status: Available
requiredDataConnectors:
- connectorId: Flare
dataTypes:
- Firework_CL
- FireworkV2_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
Expand All @@ -17,7 +17,7 @@ tactics:
relevantTechniques:
- T1596
query: |
Firework_CL
| where source_s contains "driller_shodan" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
version: 1.0.1
kind: Scheduled
FireworkV2_CL
| where source contains "driller_shodan" and (RiskScore == 3 or RiskScore == 4 or RiskScore == 5)
version: 2.0.0
kind: Scheduled
10 changes: 5 additions & 5 deletions Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ status: Available
requiredDataConnectors:
- connectorId: Flare
dataTypes:
- Firework_CL
- FireworkV2_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
Expand All @@ -17,7 +17,7 @@ tactics:
relevantTechniques:
- T1555
query: |
Firework_CL
| where category_name_s contains "Infected Device" or source_s=="genesis_market" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
version: 1.0.1
kind: Scheduled
FireworkV2_CL
| where tolower(category_name) contains "infected device" or source=="genesis_market" and (RiskScore == 3 or RiskScore == 4 or RiskScore == 5)
version: 2.0.0
kind: Scheduled
10 changes: 5 additions & 5 deletions Solutions/Flare/Analytic Rules/FlarePaste.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ status: Available
requiredDataConnectors:
- connectorId: Flare
dataTypes:
- Firework_CL
- FireworkV2_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
Expand All @@ -17,7 +17,7 @@ tactics:
relevantTechniques:
- T1593
query: |
Firework_CL
| where source_s in ("gist_github","Pastebin","driller_stackexchange") and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
version: 1.0.1
kind: Scheduled
FireworkV2_CL
| where tolower(source) in ("gist_github","Pastebin","driller_stackexchange") and (RiskScore == 3 or RiskScore == 4 or RiskScore == 5)
version: 2.0.0
kind: Scheduled
10 changes: 5 additions & 5 deletions Solutions/Flare/Analytic Rules/FlareSSLcert.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ status: Available
requiredDataConnectors:
- connectorId: Flare
dataTypes:
- Firework_CL
- FireworkV2_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
Expand All @@ -17,7 +17,7 @@ tactics:
relevantTechniques:
- T1583
query: |
Firework_CL
| where source_s contains "certstream" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
version: 1.0.1
kind: Scheduled
FireworkV2_CL
| where tolower(source) contains "certstream" and (RiskScore == 3 or RiskScore == 4 or RiskScore == 5)
version: 2.0.0
kind: Scheduled
10 changes: 5 additions & 5 deletions Solutions/Flare/Analytic Rules/FlareSourceCode.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ status: Available
requiredDataConnectors:
- connectorId: Flare
dataTypes:
- Firework_CL
- FireworkV2_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
Expand All @@ -17,7 +17,7 @@ tactics:
relevantTechniques:
- T1593
query: |
Firework_CL
| where source_s contains "driller_github" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
version: 1.0.1
kind: Scheduled
FireworkV2_CL
| where tolower(source) contains "driller_github" and (RiskScore == 3 or RiskScore == 4 or RiskScore == 5)
version: 2.0.0
kind: Scheduled
Loading
Loading