diff --git a/Solutions/Flare/Analytic Rules/FlareCloudBucket.yaml b/Solutions/Flare/Analytic Rules/FlareCloudBucket.yaml
index 01bd158a27b..286cbf4bcf0 100644
--- a/Solutions/Flare/Analytic Rules/FlareCloudBucket.yaml
+++ b/Solutions/Flare/Analytic Rules/FlareCloudBucket.yaml
@@ -18,6 +18,9 @@ relevantTechniques:
- T1593
query: |
Firework_CL
- | where source_s contains "Grayhat_warfare" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 1.0.1
+ | extend source = column_ifexists("source_s", "")
+ | extend risk_score = column_ifexists("risk_score_d", 0.0)
+ | where source contains "Grayhat_warfare"
+ | where risk_score >= 3
+version: 1.0.2
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Flare/Analytic Rules/FlareCredentialLeaks.yaml b/Solutions/Flare/Analytic Rules/FlareCredentialLeaks.yaml
index 4f50f737d69..fe7c404c2ef 100644
--- a/Solutions/Flare/Analytic Rules/FlareCredentialLeaks.yaml
+++ b/Solutions/Flare/Analytic Rules/FlareCredentialLeaks.yaml
@@ -18,6 +18,8 @@ relevantTechniques:
- T1110
query: |
Firework_CL
- | where notempty(data_new_leaks_s) and source_s != 'stealer_logs_samples'
-version: 1.0.2
+ | extend data_new_leaks = column_ifexists("data_new_leaks_s", "")
+ | extend source = column_ifexists("source_s", "")
+ | where isnotempty(data_new_leaks) and source != "stealer_logs_samples"
+version: 1.0.3
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Flare/Analytic Rules/FlareDarkweb.yaml b/Solutions/Flare/Analytic Rules/FlareDarkweb.yaml
deleted file mode 100644
index 39128e15e0c..00000000000
--- a/Solutions/Flare/Analytic Rules/FlareDarkweb.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-id: 9cb7c337-f173-4af6-b0e8-b6b7552d762d
-name: Flare Darkweb result
-description: |
- 'Result found on a darkweb platform'
-severity: Medium
-status: Available
-requiredDataConnectors:
- - connectorId: Flare
- dataTypes:
- - Firework_CL
-queryFrequency: 1h
-queryPeriod: 1h
-triggerOperator: gt
-triggerThreshold: 0
-tactics:
- - Reconnaissance
-relevantTechniques:
- - T1597
-query: |
- Firework_CL
- | where risk_reasons_s contains "CYBERCRIME_SOURCE" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 1.0.1
-kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Flare/Analytic Rules/FlareDork.yaml b/Solutions/Flare/Analytic Rules/FlareDork.yaml
index 43a16a7f97f..76d8e962b1c 100644
--- a/Solutions/Flare/Analytic Rules/FlareDork.yaml
+++ b/Solutions/Flare/Analytic Rules/FlareDork.yaml
@@ -18,6 +18,9 @@ relevantTechniques:
- T1593
query: |
Firework_CL
- | where source_s contains "google_search" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 1.0.1
+ | extend source = column_ifexists("source_s", "")
+ | extend risk_score = column_ifexists("risk_score_d", 0.0)
+ | where source contains "google_search"
+ | where risk_score >= 3
+version: 1.0.2
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Flare/Analytic Rules/FlareHost.yaml b/Solutions/Flare/Analytic Rules/FlareHost.yaml
index 69c5b24fd50..8499764be1a 100644
--- a/Solutions/Flare/Analytic Rules/FlareHost.yaml
+++ b/Solutions/Flare/Analytic Rules/FlareHost.yaml
@@ -18,6 +18,9 @@ relevantTechniques:
- T1596
query: |
Firework_CL
- | where source_s contains "driller_shodan" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 1.0.1
+ | extend source = column_ifexists("source_s", "")
+ | extend risk_score = column_ifexists("risk_score_d", 0.0)
+ | where source contains "driller_shodan"
+ | where risk_score >= 3
+version: 1.0.2
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml b/Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml
index 3d5cc7c7709..18b4e6bc5ce 100644
--- a/Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml
+++ b/Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml
@@ -18,6 +18,10 @@ relevantTechniques:
- T1555
query: |
Firework_CL
- | where category_name_s contains "Infected Device" or source_s=="genesis_market" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 1.0.1
+ | extend category_name = column_ifexists("category_name_s", "")
+ | extend source = column_ifexists("source_s", "")
+ | extend risk_score = column_ifexists("risk_score_d", 0.0)
+ | where category_name contains "Infected Device" or source == "genesis_market"
+ | where risk_score >= 3
+version: 1.0.2
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Flare/Analytic Rules/FlarePaste.yaml b/Solutions/Flare/Analytic Rules/FlarePaste.yaml
index bd5449ff09b..009082b323d 100644
--- a/Solutions/Flare/Analytic Rules/FlarePaste.yaml
+++ b/Solutions/Flare/Analytic Rules/FlarePaste.yaml
@@ -18,6 +18,9 @@ relevantTechniques:
- T1593
query: |
Firework_CL
- | where source_s in ("gist_github","Pastebin","driller_stackexchange") and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 1.0.1
+ | extend source = column_ifexists("source_s", "")
+ | extend risk_score = column_ifexists("risk_score_d", 0.0)
+ | where source in ("gist_github", "Pastebin", "driller_stackexchange")
+ | where risk_score >= 3
+version: 1.0.2
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Flare/Analytic Rules/FlareSSLcert.yaml b/Solutions/Flare/Analytic Rules/FlareSSLcert.yaml
index b11c5d47b21..cf132ddfd81 100644
--- a/Solutions/Flare/Analytic Rules/FlareSSLcert.yaml
+++ b/Solutions/Flare/Analytic Rules/FlareSSLcert.yaml
@@ -18,6 +18,9 @@ relevantTechniques:
- T1583
query: |
Firework_CL
- | where source_s contains "certstream" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 1.0.1
+ | extend source = column_ifexists("source_s", "")
+ | extend risk_score = column_ifexists("risk_score_d", 0.0)
+ | where source contains "certstream"
+ | where risk_score >= 3
+version: 1.0.2
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Flare/Analytic Rules/FlareSourceCode.yaml b/Solutions/Flare/Analytic Rules/FlareSourceCode.yaml
index adec624539d..511f81c184b 100644
--- a/Solutions/Flare/Analytic Rules/FlareSourceCode.yaml
+++ b/Solutions/Flare/Analytic Rules/FlareSourceCode.yaml
@@ -18,6 +18,9 @@ relevantTechniques:
- T1593
query: |
Firework_CL
- | where source_s contains "driller_github" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 1.0.1
+ | extend source = column_ifexists("source_s", "")
+ | extend risk_score = column_ifexists("risk_score_d", 0.0)
+ | where source contains "driller_github"
+ | where risk_score >= 3
+version: 1.0.2
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Flare/Data Connectors/Connector_REST_API_FlareSystemsFirework.json b/Solutions/Flare/Data Connectors/Connector_REST_API_FlareSystemsFirework.json
index a02378a4b9e..254a8183040 100644
--- a/Solutions/Flare/Data Connectors/Connector_REST_API_FlareSystemsFirework.json
+++ b/Solutions/Flare/Data Connectors/Connector_REST_API_FlareSystemsFirework.json
@@ -70,7 +70,7 @@
"description": "",
"innerSteps": [
{
- "description": "As an organization administrator, authenticate on [Flare](https://app.flare.systems) and access the [team page](https://app.flare.systems#/team) to create a new alert channel."
+ "description": "As an organization administrator, authenticate on [Flare](https://app.flare.io) and access the [alert page](https://app.flare.io/#/alerts?activeTab=alert-channels) to create a new alert channel."
},
{
"description": "Click on 'Create a new alert channel' and select 'Microsoft Sentinel'. Enter your Shared Key And WorkspaceID. Save the Alert Channel. \n For more help and details, see our [Azure configuration documentation](https://docs.microsoft.com/azure/sentinel/connect-data-sources).",
@@ -129,4 +129,4 @@
"link": "https://flare.systems/company/contact/"
}
}
-}
\ No newline at end of file
+}
diff --git a/Solutions/Flare/Data/Solution_FlareSystemsFirework.json b/Solutions/Flare/Data/Solution_FlareSystemsFirework.json
index db0b3858daf..6edb2c3ee21 100644
--- a/Solutions/Flare/Data/Solution_FlareSystemsFirework.json
+++ b/Solutions/Flare/Data/Solution_FlareSystemsFirework.json
@@ -1,8 +1,8 @@
{
"Name": "Flare",
- "Author": "Microsoft - support@microsoft.com",
+ "Author": "Flare Integration Team - support@flare.io",
"Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Flare.svg\"width=\"75px\"height=\"75px\")
",
- "Description": "The Flare Systems [Firework](https://flare.systems/firework/) solution allows you to receive data and intelligence from Firework on Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs. \n\n a .[Azure Monitor HTTP Data Collector API ](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)",
+ "Description": "The Flare Systems [Firework](https://flare.io/platform/) solution allows you to receive data and intelligence from Firework on Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs. \n\n a .[Azure Monitor HTTP Data Collector API ](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)",
"Data Connectors": [
"Data Connectors/Connector_REST_API_FlareSystemsFirework.json"
],
@@ -15,7 +15,6 @@
"Analytic Rules": [
"Analytic Rules/FlareCloudBucket.yaml",
"Analytic Rules/FlareCredentialLeaks.yaml",
- "Analytic Rules/FlareDarkweb.yaml",
"Analytic Rules/FlareDork.yaml",
"Analytic Rules/FlareHost.yaml",
"Analytic Rules/FlareInfectedDevice.yaml",
@@ -24,8 +23,8 @@
"Analytic Rules/FlareSSLcert.yaml"
],
"BasePath": "C:\\GitHub\\azure-sentinel\\Solutions\\Flare",
- "Version": "2.1.0",
+ "Version": "2.2.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
-}
\ No newline at end of file
+}
diff --git a/Solutions/Flare/Package/2.2.0.zip b/Solutions/Flare/Package/2.2.0.zip
new file mode 100644
index 00000000000..7d1feebe6c8
Binary files /dev/null and b/Solutions/Flare/Package/2.2.0.zip differ
diff --git a/Solutions/Flare/Package/createUiDefinition.json b/Solutions/Flare/Package/createUiDefinition.json
index 366f4c39797..0b7990caa69 100644
--- a/Solutions/Flare/Package/createUiDefinition.json
+++ b/Solutions/Flare/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Flare/Data%20Connectors/Logo/Flare.svg\")
\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nFlare identifies your company’s digital assets made publicly available due to human error or malicious attacks. \n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 9, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Flare/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Flare Systems [Firework](https://flare.io/platform/) solution allows you to receive data and intelligence from Firework on Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs. \n\n a .[Azure Monitor HTTP Data Collector API ](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 8, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -64,7 +64,7 @@
}
},
{
- "name": "dataconnectors-link2",
+ "name": "dataconnectors-link1",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
@@ -146,13 +146,13 @@
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
- "label": "Flare Leaked Credentials",
+ "label": "Flare Cloud bucket result",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Searches for Flare Leaked Credentials"
+ "text": "Results found on an publicly available cloud bucket"
}
}
]
@@ -160,13 +160,13 @@
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
- "label": "Flare Cloud bucket result",
+ "label": "Flare Leaked Credentials",
"elements": [
{
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Results found on an publicly available cloud bucket"
+ "text": "Searches for Flare Leaked Credentials"
}
}
]
@@ -174,24 +174,10 @@
{
"name": "analytic3",
"type": "Microsoft.Common.Section",
- "label": "Flare Darkweb result",
- "elements": [
- {
- "name": "analytic3-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "Result found on a darkweb platform"
- }
- }
- ]
- },
- {
- "name": "analytic4",
- "type": "Microsoft.Common.Section",
"label": "Flare Google Dork result found",
"elements": [
{
- "name": "analytic4-text",
+ "name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Results using a dork on google was found"
@@ -200,12 +186,12 @@
]
},
{
- "name": "analytic5",
+ "name": "analytic4",
"type": "Microsoft.Common.Section",
"label": "Flare Host result",
"elements": [
{
- "name": "analytic5-text",
+ "name": "analytic4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Results found relating to IP, domain or host"
@@ -214,12 +200,12 @@
]
},
{
- "name": "analytic6",
+ "name": "analytic5",
"type": "Microsoft.Common.Section",
"label": "Flare Infected Device",
"elements": [
{
- "name": "analytic6-text",
+ "name": "analytic5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Infected Device found on darkweb or Telegram"
@@ -228,12 +214,12 @@
]
},
{
- "name": "analytic7",
+ "name": "analytic6",
"type": "Microsoft.Common.Section",
"label": "Flare Paste result",
"elements": [
{
- "name": "analytic7-text",
+ "name": "analytic6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Result found on code Snippet (paste) sharing platform"
@@ -242,12 +228,12 @@
]
},
{
- "name": "analytic8",
+ "name": "analytic7",
"type": "Microsoft.Common.Section",
"label": "Flare Source Code found",
"elements": [
{
- "name": "analytic8-text",
+ "name": "analytic7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Result found on Code Sharing platform"
@@ -256,12 +242,12 @@
]
},
{
- "name": "analytic9",
+ "name": "analytic8",
"type": "Microsoft.Common.Section",
"label": "Flare SSL Certificate result",
"elements": [
{
- "name": "analytic9-text",
+ "name": "analytic8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "SSL Certificate registration found"
diff --git a/Solutions/Flare/Package/mainTemplate.json b/Solutions/Flare/Package/mainTemplate.json
index 1448a2b0f2e..ee649188214 100644
--- a/Solutions/Flare/Package/mainTemplate.json
+++ b/Solutions/Flare/Package/mainTemplate.json
@@ -38,10 +38,10 @@
}
},
"variables": {
- "solutionId": "flaresystmesinc1617114736428.flare-systems-firework-sentinel",
- "_solutionId": "[variables('solutionId')]",
"email": "support@flare.io",
"_email": "[variables('email')]",
+ "solutionId": "flaresystmesinc1617114736428.flare-systems-firework-sentinel",
+ "_solutionId": "[variables('solutionId')]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"uiConfigId1": "Flare",
"_uiConfigId1": "[variables('uiConfigId1')]",
@@ -51,51 +51,11 @@
"_dataConnectorId1": "[variables('dataConnectorId1')]",
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
"dataConnectorVersion1": "1.0.0",
- "analyticRuleVersion1": "1.0.2",
- "analyticRulecontentId1": "9cb7c337-f170-4af6-b0e8-b6b7552d762d",
- "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
- "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
- "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1')))]",
- "analyticRuleVersion2": "1.0.1",
- "analyticRulecontentId2": "9cb7c337-f172-4af6-b0e8-b6b7552d762d",
- "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
- "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
- "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2')))]",
- "analyticRuleVersion3": "1.0.1",
- "analyticRulecontentId3": "9cb7c337-f173-4af6-b0e8-b6b7552d762d",
- "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]",
- "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]",
- "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3')))]",
- "analyticRuleVersion4": "1.0.1",
- "analyticRulecontentId4": "9cb7c337-f174-4af6-b0e8-b6b7552d762d",
- "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]",
- "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]",
- "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4')))]",
- "analyticRuleVersion5": "1.0.1",
- "analyticRulecontentId5": "9cb7c337-f175-4af6-b0e8-b6b7552d762d",
- "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]",
- "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]",
- "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5')))]",
- "analyticRuleVersion6": "1.0.1",
- "analyticRulecontentId6": "9cb7c337-f176-4af6-b0e8-b6b7552d762d",
- "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]",
- "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]",
- "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6')))]",
- "analyticRuleVersion7": "1.0.1",
- "analyticRulecontentId7": "9cb7c337-f177-4af6-b0e8-b6b7552d762d",
- "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]",
- "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]",
- "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7')))]",
- "analyticRuleVersion8": "1.0.1",
- "analyticRulecontentId8": "9cb7c337-f178-4af6-b0e8-b6b7552d762d",
- "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]",
- "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]",
- "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8')))]",
- "analyticRuleVersion9": "1.0.1",
- "analyticRulecontentId9": "9cb7c337-f179-4af6-b0e8-b6b7552d762d",
- "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]",
- "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]",
- "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9')))]",
+ "workbookVersion1": "1.0.0",
+ "workbookContentId1": "FireworkWorkbook",
+ "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
+ "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]",
+ "_workbookContentId1": "[variables('workbookContentId1')]",
"credential-warning": "credential-warning",
"_credential-warning": "[variables('credential-warning')]",
"playbookVersion1": "1.0",
@@ -103,11 +63,54 @@
"_playbookContentId1": "[variables('playbookContentId1')]",
"playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]",
"playbookTemplateSpecName1": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1')))]",
- "workbookVersion1": "1.0.0",
- "workbookContentId1": "FireworkWorkbook",
- "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
- "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]",
- "_workbookContentId1": "[variables('workbookContentId1')]"
+ "analyticRuleObject1": {
+ "analyticRuleVersion1": "1.0.2",
+ "_analyticRulecontentId1": "9cb7c337-f172-4af6-b0e8-b6b7552d762d",
+ "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f172-4af6-b0e8-b6b7552d762d')]",
+ "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f172-4af6-b0e8-b6b7552d762d'))]"
+ },
+ "analyticRuleObject2": {
+ "analyticRuleVersion2": "1.0.3",
+ "_analyticRulecontentId2": "9cb7c337-f170-4af6-b0e8-b6b7552d762d",
+ "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f170-4af6-b0e8-b6b7552d762d')]",
+ "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f170-4af6-b0e8-b6b7552d762d'))]"
+ },
+ "analyticRuleObject3": {
+ "analyticRuleVersion3": "1.0.2",
+ "_analyticRulecontentId3": "9cb7c337-f174-4af6-b0e8-b6b7552d762d",
+ "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f174-4af6-b0e8-b6b7552d762d')]",
+ "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f174-4af6-b0e8-b6b7552d762d'))]"
+ },
+ "analyticRuleObject4": {
+ "analyticRuleVersion4": "1.0.2",
+ "_analyticRulecontentId4": "9cb7c337-f175-4af6-b0e8-b6b7552d762d",
+ "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f175-4af6-b0e8-b6b7552d762d')]",
+ "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f175-4af6-b0e8-b6b7552d762d'))]"
+ },
+ "analyticRuleObject5": {
+ "analyticRuleVersion5": "1.0.2",
+ "_analyticRulecontentId5": "9cb7c337-f176-4af6-b0e8-b6b7552d762d",
+ "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f176-4af6-b0e8-b6b7552d762d')]",
+ "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f176-4af6-b0e8-b6b7552d762d'))]"
+ },
+ "analyticRuleObject6": {
+ "analyticRuleVersion6": "1.0.2",
+ "_analyticRulecontentId6": "9cb7c337-f177-4af6-b0e8-b6b7552d762d",
+ "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f177-4af6-b0e8-b6b7552d762d')]",
+ "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f177-4af6-b0e8-b6b7552d762d'))]"
+ },
+ "analyticRuleObject7": {
+ "analyticRuleVersion7": "1.0.2",
+ "_analyticRulecontentId7": "9cb7c337-f178-4af6-b0e8-b6b7552d762d",
+ "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f178-4af6-b0e8-b6b7552d762d')]",
+ "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f178-4af6-b0e8-b6b7552d762d'))]"
+ },
+ "analyticRuleObject8": {
+ "analyticRuleVersion8": "1.0.2",
+ "_analyticRulecontentId8": "9cb7c337-f179-4af6-b0e8-b6b7552d762d",
+ "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f179-4af6-b0e8-b6b7552d762d')]",
+ "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f179-4af6-b0e8-b6b7552d762d'))]"
+ }
},
"resources": [
{
@@ -137,7 +140,7 @@
"[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
],
"properties": {
- "description": "Flare data connector with template version 2.1.0",
+ "description": "Flare data connector with template version 2.2.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -221,7 +224,7 @@
{
"innerSteps": [
{
- "description": "As an organization administrator, authenticate on [Flare](https://app.flare.systems) and access the [team page](https://app.flare.systems#/team) to create a new alert channel."
+ "description": "As an organization administrator, authenticate on [Flare](https://app.flare.io) and access the [alert page](https://app.flare.io/#/alerts?activeTab=alert-channels) to create a new alert channel."
},
{
"description": "Click on 'Create a new alert channel' and select 'Microsoft Sentinel'. Enter your Shared Key And WorkspaceID. Save the Alert Channel. \n For more help and details, see our [Azure configuration documentation](https://docs.microsoft.com/azure/sentinel/connect-data-sources).",
@@ -420,7 +423,7 @@
{
"innerSteps": [
{
- "description": "As an organization administrator, authenticate on [Flare](https://app.flare.systems) and access the [team page](https://app.flare.systems#/team) to create a new alert channel."
+ "description": "As an organization administrator, authenticate on [Flare](https://app.flare.io) and access the [alert page](https://app.flare.io/#/alerts?activeTab=alert-channels) to create a new alert channel."
},
{
"description": "Click on 'Create a new alert channel' and select 'Microsoft Sentinel'. Enter your Shared Key And WorkspaceID. Save the Alert Channel. \n For more help and details, see our [Azure configuration documentation](https://docs.microsoft.com/azure/sentinel/connect-data-sources).",
@@ -469,82 +472,64 @@
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2022-02-01",
- "name": "[variables('analyticRuleTemplateSpecName1')]",
+ "name": "[variables('workbookTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
+ "hidden-sentinelContentType": "Workbook"
},
"properties": {
- "description": "Flare Analytics Rule 1 with template",
- "displayName": "Flare Analytics Rule template"
+ "description": "Flare Workbook with template",
+ "displayName": "Flare workbook template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2022-02-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName1'),'/',variables('analyticRuleVersion1'))]",
+ "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
+ "hidden-sentinelContentType": "Workbook"
},
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]"
+ "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]"
],
"properties": {
- "description": "FlareCredentialLeaks_AnalyticalRules Analytics Rule with template version 2.1.0",
+ "description": "FlareSystemsFireworkOverview Workbook with template version 2.2.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion1')]",
+ "contentVersion": "[variables('workbookVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId1')]",
- "apiVersion": "2022-04-01-preview",
- "kind": "Scheduled",
+ "type": "Microsoft.Insights/workbooks",
+ "name": "[variables('workbookContentId1')]",
"location": "[parameters('workspace-location')]",
+ "kind": "shared",
+ "apiVersion": "2021-08-01",
+ "metadata": {
+ "description": "Select the time range for this Overview."
+ },
"properties": {
- "description": "Searches for Flare Leaked Credentials",
- "displayName": "Flare Leaked Credentials",
- "enabled": false,
- "query": "Firework_CL\n| where notempty(data_new_leaks_s) and source_s != 'stealer_logs_samples'\n",
- "queryFrequency": "PT1H",
- "queryPeriod": "PT1H",
- "severity": "Medium",
- "suppressionDuration": "PT1H",
- "suppressionEnabled": false,
- "triggerOperator": "GreaterThan",
- "triggerThreshold": 0,
- "status": "Available",
- "requiredDataConnectors": [
- {
- "dataTypes": [
- "Firework_CL"
- ],
- "connectorId": "Flare"
- }
- ],
- "tactics": [
- "CredentialAccess"
- ],
- "techniques": [
- "T1110"
- ]
+ "displayName": "[parameters('workbook1-name')]",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Firework Logs by risk score\\n---\\n\\nThese are all your logs that came from Firework in the past 30 days, where each line represents a specific risk score\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Firework_CL\\n| make-series num=count() on timestamp_t from ago(30d) to now() step 8h by strcat(\\\"Risk Score \\\", tostring(toint(risk_score_d)))\\n| render timechart \",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Risk Score 2\",\"color\":\"turquoise\"},{\"seriesName\":\"Risk Score 3\",\"color\":\"yellow\"},{\"seriesName\":\"Risk Score 4\",\"color\":\"orange\"},{\"seriesName\":\"Risk Score 1\",\"color\":\"lightBlue\"}]}},\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"# Sources of all documents collected\\n\\nData per day for the last 30 days\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Firework_CL\\n| make-series num=count() on timestamp_t from ago(30d) to now() step 1d by source_name_s\\n| where isnotempty(source_name_s)\\n| render barchart \",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Firework_CL\\n| where timestamp_t >= ago(30d)\\n| summarize num=count() by source_name_s\\n| where notempty(source_name_s)\\n| render piechart \",\"size\":2,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 6\"},{\"type\":1,\"content\":{\"json\":\"# Total Leaked Credentials received\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Firework_CL\\n| where notempty(column_ifexists('data_new_leaks_s', ''))\\n| make-series Total_Leaked_Credentials=count() on timestamp_t from ago(30d) to now() step 8h \\n| render timechart\",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Total_Leaked_Credentials\",\"color\":\"redBright\"}]}},\"name\":\"query - 4\"}],\"fromTemplateId\":\"sentinel-FireworkWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
+ "version": "1.0",
+ "sourceId": "[variables('workspaceResourceId')]",
+ "category": "sentinel"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
"properties": {
- "description": "Flare Analytics Rule 1",
- "parentId": "[variables('analyticRuleId1')]",
- "contentId": "[variables('_analyticRulecontentId1')]",
- "kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion1')]",
+ "description": "@{workbookKey=FireworkWorkbook; logoFileName=Flare.svg; description=Select the time range for this Overview.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=FlareSystemsFirework; templateRelativePath=FlareSystemsFireworkOverview.json; subtitle=; provider=Flare Systems}.description",
+ "parentId": "[variables('workbookId1')]",
+ "contentId": "[variables('_workbookContentId1')]",
+ "kind": "Workbook",
+ "version": "[variables('workbookVersion1')]",
"source": {
"kind": "Solution",
"name": "Flare",
@@ -559,6 +544,19 @@
"email": "contact@flare.io",
"tier": "Partner",
"link": "https://flare.io/company/contact/"
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "contentId": "Firework_CL",
+ "kind": "DataType"
+ },
+ {
+ "contentId": "FlareSystemsFirework",
+ "kind": "DataConnector"
+ }
+ ]
}
}
}
@@ -569,282 +567,334 @@
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2022-02-01",
- "name": "[variables('analyticRuleTemplateSpecName2')]",
+ "name": "[variables('playbookTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
+ "hidden-sentinelContentType": "Playbook"
},
"properties": {
- "description": "Flare Analytics Rule 2 with template",
- "displayName": "Flare Analytics Rule template"
+ "description": "credential-warning playbook",
+ "displayName": "credential-warning playbook"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2022-02-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName2'),'/',variables('analyticRuleVersion2'))]",
+ "name": "[concat(variables('playbookTemplateSpecName1'),'/',variables('playbookVersion1'))]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
+ "hidden-sentinelContentType": "Playbook"
},
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]"
+ "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName1'))]"
],
"properties": {
- "description": "FlareCloudBucket_AnalyticalRules Analytics Rule with template version 2.1.0",
+ "description": "credential-warning Playbook with template version 2.2.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion2')]",
- "parameters": {},
- "variables": {},
+ "contentVersion": "[variables('playbookVersion1')]",
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "credential-warning",
+ "type": "string"
+ }
+ },
+ "variables": {
+ "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]",
+ "o365ConnectionName": "[[concat('o365-', parameters('PlaybookName'))]",
+ "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+ "_connection-1": "[[variables('connection-1')]",
+ "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]",
+ "_connection-2": "[[variables('connection-2')]",
+ "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+ "workspace-name": "[parameters('workspace')]",
+ "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+ },
"resources": [
{
- "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId2')]",
- "apiVersion": "2022-04-01-preview",
- "kind": "Scheduled",
- "location": "[parameters('workspace-location')]",
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[[variables('AzureSentinelConnectionName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "kind": "V1",
"properties": {
- "description": "Results found on an publicly available cloud bucket",
- "displayName": "Flare Cloud bucket result",
- "enabled": false,
- "query": "Firework_CL\n| where source_s contains \"Grayhat_warfare\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
- "queryFrequency": "PT1H",
- "queryPeriod": "PT1H",
- "severity": "Medium",
- "suppressionDuration": "PT1H",
- "suppressionEnabled": false,
- "triggerOperator": "GreaterThan",
- "triggerThreshold": 0,
- "status": "Available",
- "requiredDataConnectors": [
- {
- "dataTypes": [
- "Firework_CL"
- ],
- "connectorId": "Flare"
- }
- ],
- "tactics": [
- "Reconnaissance"
- ],
- "techniques": [
- "T1593"
- ]
+ "displayName": "[[variables('AzureSentinelConnectionName')]",
+ "parameterValueType": "Alternative",
+ "api": {
+ "id": "[[variables('_connection-1')]"
+ }
}
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]",
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[[variables('o365ConnectionName')]",
+ "location": "[[variables('workspace-location-inline')]",
"properties": {
- "description": "Flare Analytics Rule 2",
- "parentId": "[variables('analyticRuleId2')]",
- "contentId": "[variables('_analyticRulecontentId2')]",
- "kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "Flare",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Flare Integration Team",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Flare",
- "email": "contact@flare.io",
- "tier": "Partner",
- "link": "https://flare.io/company/contact/"
+ "displayName": "[[parameters('PlaybookName')]",
+ "api": {
+ "id": "[[variables('_connection-2')]"
}
}
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2022-02-01",
- "name": "[variables('analyticRuleTemplateSpecName3')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "Flare Analytics Rule 3 with template",
- "displayName": "Flare Analytics Rule template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2022-02-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName3'),'/',variables('analyticRuleVersion3'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName3'))]"
- ],
- "properties": {
- "description": "FlareDarkweb_AnalyticalRules Analytics Rule with template version 2.1.0",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion3')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId3')]",
- "apiVersion": "2022-04-01-preview",
- "kind": "Scheduled",
- "location": "[parameters('workspace-location')]",
- "properties": {
- "description": "Result found on a darkweb platform",
- "displayName": "Flare Darkweb result",
- "enabled": false,
- "query": "Firework_CL\n| where risk_reasons_s contains \"CYBERCRIME_SOURCE\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
- "queryFrequency": "PT1H",
- "queryPeriod": "PT1H",
- "severity": "Medium",
- "suppressionDuration": "PT1H",
- "suppressionEnabled": false,
- "triggerOperator": "GreaterThan",
- "triggerThreshold": 0,
- "status": "Available",
- "requiredDataConnectors": [
- {
- "dataTypes": [
- "Firework_CL"
- ],
- "connectorId": "Flare"
- }
- ],
- "tactics": [
- "Reconnaissance"
- ],
- "techniques": [
- "T1597"
- ]
- }
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]",
- "properties": {
- "description": "Flare Analytics Rule 3",
- "parentId": "[variables('analyticRuleId3')]",
- "contentId": "[variables('_analyticRulecontentId3')]",
- "kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion3')]",
- "source": {
- "kind": "Solution",
- "name": "Flare",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Flare Integration Team",
- "email": "[variables('_email')]"
+ "type": "Microsoft.Logic/workflows",
+ "apiVersion": "2017-07-01",
+ "name": "[[parameters('PlaybookName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "tags": {
+ "LogicAppsCategory": "security",
+ "hidden-SentinelTemplateName": "PlaybookName",
+ "hidden-SentinelTemplateVersion": "1.0",
+ "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+ },
+ "identity": {
+ "type": "SystemAssigned"
+ },
+ "dependsOn": [
+ "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
+ "[[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]"
+ ],
+ "properties": {
+ "state": "Disabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "parameters": {
+ "$connections": {
+ "type": "Object"
+ }
+ },
+ "actions": {
+ "For_each": {
+ "actions": {
+ "For_each_2": {
+ "actions": {
+ "For_each_3": {
+ "actions": {
+ "Send_an_email_(V2)": {
+ "inputs": {
+ "body": {
+ "Body": "Hello,
\n
\nThis is a message to warn you we believe a password you had been using has been leaked online, as part of a data breach.
\n
\nIf the following password is one you are still using commonly, we recommend changing it as soon as possible.
\n
\n@{items('For_each_3')['hash']}
\n
\nIn addition we want to remind you not to use your corporate email address to register to services outside of work.
\n
\nCordially,
\n
\nSecurity Team
\n
",
+ "Subject": "Possible compromised password",
+ "To": "blank@flare.systems"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['office365']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/v2/Mail"
+ },
+ "type": "ApiConnection"
+ }
+ },
+ "foreach": "@items('For_each_2')['passwords']",
+ "type": "Foreach"
+ }
+ },
+ "foreach": "@body('Parse_JSON')",
+ "runAfter": {
+ "Parse_JSON": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "Parse_JSON": {
+ "inputs": {
+ "content": "@items('For_each')",
+ "schema": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "passwords": {
+ "items": {
+ "properties": {
+ "extra": {
+ "type": "object"
+ },
+ "hash": {
+ "type": "string"
+ },
+ "hash_type": {
+ "type": "string"
+ },
+ "id": {
+ "type": "integer"
+ },
+ "imported_at": {
+ "type": "string"
+ },
+ "source_id": {
+ "type": "string"
+ },
+ "source_params": {
+ "properties": {
+ "line": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "required": [
+ "id",
+ "hash",
+ "hash_type",
+ "extra",
+ "domain",
+ "source_id",
+ "source_params",
+ "imported_at"
+ ],
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "required": [
+ "name",
+ "passwords"
+ ],
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "ParseJson"
+ }
+ },
+ "foreach": "@variables('leaks')['leaked_credentials']",
+ "runAfter": {
+ "Initialize_variable": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "Initialize_variable": {
+ "inputs": {
+ "variables": [
+ {
+ "name": "leaks",
+ "type": "object",
+ "value": "@json(body('Parse_JSON_2')['Custom Details'])"
+ }
+ ]
+ },
+ "runAfter": {
+ "Parse_JSON_2": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable"
+ },
+ "Parse_JSON_2": {
+ "inputs": {
+ "content": "@triggerBody()?['ExtendedProperties']",
+ "schema": {
+ "properties": {
+ "Analytic Rule Ids": {
+ "type": "string"
+ },
+ "Analytic Rule Name": {
+ "type": "string"
+ },
+ "Custom Details": {
+ "type": "string"
+ },
+ "Data Sources": {
+ "type": "string"
+ },
+ "Event Grouping": {
+ "type": "string"
+ },
+ "ProcessedBySentinel": {
+ "type": "string"
+ },
+ "Query": {
+ "type": "string"
+ },
+ "Query End Time UTC": {
+ "type": "string"
+ },
+ "Query Period": {
+ "type": "string"
+ },
+ "Query Start Time UTC": {
+ "type": "string"
+ },
+ "Search Query Results Overall Count": {
+ "type": "string"
+ },
+ "Trigger Operator": {
+ "type": "string"
+ },
+ "Trigger Threshold": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "ParseJson"
+ }
+ },
+ "contentVersion": "1.0.0.0",
+ "triggers": {
+ "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
+ "inputs": {
+ "body": {
+ "callback_url": "@{listCallbackUrl()}"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "path": "/subscribe"
+ },
+ "type": "ApiConnectionWebhook"
+ }
+ }
},
- "support": {
- "name": "Flare",
- "email": "contact@flare.io",
- "tier": "Partner",
- "link": "https://flare.io/company/contact/"
+ "parameters": {
+ "$connections": {
+ "value": {
+ "azuresentinel": {
+ "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
+ "connectionName": "[[variables('AzureSentinelConnectionName')]",
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+ "connectionProperties": {
+ "authentication": {
+ "type": "ManagedServiceIdentity"
+ }
+ }
+ },
+ "office365": {
+ "connectionId": "[[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]",
+ "connectionName": "[[variables('o365ConnectionName')]",
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]"
+ }
+ }
+ }
}
}
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2022-02-01",
- "name": "[variables('analyticRuleTemplateSpecName4')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "Flare Analytics Rule 4 with template",
- "displayName": "Flare Analytics Rule template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2022-02-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName4'),'/',variables('analyticRuleVersion4'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName4'))]"
- ],
- "properties": {
- "description": "FlareDork_AnalyticalRules Analytics Rule with template version 2.1.0",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion4')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId4')]",
- "apiVersion": "2022-04-01-preview",
- "kind": "Scheduled",
- "location": "[parameters('workspace-location')]",
- "properties": {
- "description": "Results using a dork on google was found",
- "displayName": "Flare Google Dork result found",
- "enabled": false,
- "query": "Firework_CL\n| where source_s contains \"google_search\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
- "queryFrequency": "PT1H",
- "queryPeriod": "PT1H",
- "severity": "Medium",
- "suppressionDuration": "PT1H",
- "suppressionEnabled": false,
- "triggerOperator": "GreaterThan",
- "triggerThreshold": 0,
- "status": "Available",
- "requiredDataConnectors": [
- {
- "dataTypes": [
- "Firework_CL"
- ],
- "connectorId": "Flare"
- }
- ],
- "tactics": [
- "Reconnaissance"
- ],
- "techniques": [
- "T1593"
- ]
- }
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]",
"properties": {
- "description": "Flare Analytics Rule 4",
- "parentId": "[variables('analyticRuleId4')]",
- "contentId": "[variables('_analyticRulecontentId4')]",
- "kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion4')]",
+ "parentId": "[variables('playbookId1')]",
+ "contentId": "[variables('_playbookContentId1')]",
+ "kind": "Playbook",
+ "version": "[variables('playbookVersion1')]",
"source": {
"kind": "Solution",
"name": "Flare",
@@ -862,55 +912,69 @@
}
}
}
- ]
+ ],
+ "metadata": {
+ "title": "credential-warning",
+ "description": "This playbook monitors all data received from Firework looking for leaked credentials (email:password combinations). When found, this playbook will send an email to the email address warning their password has been leaked, recommending appropriate measures if necessary. To learn more about how to connect Firework to Microsoft Sentinel, see the [API documentation](https://docs.flared.io/azure-sentinel-integration).",
+ "lastUpdateTime": "2022-07-31T00:00:00Z",
+ "releaseNotes": [
+ {
+ "version": "1.0.0",
+ "title": "credential-warning",
+ "notes": [
+ "Initial version"
+ ]
+ }
+ ]
+ }
}
}
},
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2022-02-01",
- "name": "[variables('analyticRuleTemplateSpecName5')]",
+ "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "AnalyticsRule"
},
"properties": {
- "description": "Flare Analytics Rule 5 with template",
+ "description": "Flare Analytics Rule 1 with template",
"displayName": "Flare Analytics Rule template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2022-02-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName5'),'/',variables('analyticRuleVersion5'))]",
+ "name": "[concat(variables('analyticRuleObject1').analyticRuleTemplateSpecName1,'/',variables('analyticRuleObject1').analyticRuleVersion1)]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "AnalyticsRule"
},
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName5'))]"
+ "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject1').analyticRuleTemplateSpecName1)]"
],
"properties": {
- "description": "FlareHost_AnalyticalRules Analytics Rule with template version 2.1.0",
+ "description": "FlareCloudBucket_AnalyticalRules Analytics Rule with template version 2.2.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion5')]",
+ "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId5')]",
- "apiVersion": "2022-04-01-preview",
+ "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Results found relating to IP, domain or host",
- "displayName": "Flare Host result",
+ "description": "Results found on an publicly available cloud bucket",
+ "displayName": "Flare Cloud bucket result",
"enabled": false,
- "query": "Firework_CL\n| where source_s contains \"driller_shodan\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
+ "query": "Firework_CL\n| extend source = column_ifexists(\"source_s\", \"\")\n| extend risk_score = column_ifexists(\"risk_score_d\", 0.0)\n| where source contains \"Grayhat_warfare\"\n| where risk_score >= 3\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
@@ -921,30 +985,30 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "Flare",
"dataTypes": [
"Firework_CL"
- ],
- "connectorId": "Flare"
+ ]
}
],
"tactics": [
"Reconnaissance"
],
"techniques": [
- "T1596"
+ "T1593"
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]",
"properties": {
- "description": "Flare Analytics Rule 5",
- "parentId": "[variables('analyticRuleId5')]",
- "contentId": "[variables('_analyticRulecontentId5')]",
+ "description": "Flare Analytics Rule 1",
+ "parentId": "[variables('analyticRuleObject1').analyticRuleId1]",
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion5')]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]",
"source": {
"kind": "Solution",
"name": "Flare",
@@ -969,48 +1033,48 @@
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2022-02-01",
- "name": "[variables('analyticRuleTemplateSpecName6')]",
+ "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "AnalyticsRule"
},
"properties": {
- "description": "Flare Analytics Rule 6 with template",
+ "description": "Flare Analytics Rule 2 with template",
"displayName": "Flare Analytics Rule template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2022-02-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName6'),'/',variables('analyticRuleVersion6'))]",
+ "name": "[concat(variables('analyticRuleObject2').analyticRuleTemplateSpecName2,'/',variables('analyticRuleObject2').analyticRuleVersion2)]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "AnalyticsRule"
},
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName6'))]"
+ "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject2').analyticRuleTemplateSpecName2)]"
],
"properties": {
- "description": "FlareInfectedDevice_AnalyticalRules Analytics Rule with template version 2.1.0",
+ "description": "FlareCredentialLeaks_AnalyticalRules Analytics Rule with template version 2.2.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion6')]",
+ "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId6')]",
- "apiVersion": "2022-04-01-preview",
+ "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Infected Device found on darkweb or Telegram",
- "displayName": "Flare Infected Device",
+ "description": "Searches for Flare Leaked Credentials",
+ "displayName": "Flare Leaked Credentials",
"enabled": false,
- "query": "Firework_CL\n| where category_name_s contains \"Infected Device\" or source_s==\"genesis_market\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
+ "query": "Firework_CL\n| extend data_new_leaks = column_ifexists(\"data_new_leaks_s\", \"\")\n| extend source = column_ifexists(\"source_s\", \"\")\n| where isnotempty(data_new_leaks) and source != \"stealer_logs_samples\"\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
@@ -1021,30 +1085,30 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "Flare",
"dataTypes": [
"Firework_CL"
- ],
- "connectorId": "Flare"
+ ]
}
],
"tactics": [
"CredentialAccess"
],
"techniques": [
- "T1555"
+ "T1110"
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]",
"properties": {
- "description": "Flare Analytics Rule 6",
- "parentId": "[variables('analyticRuleId6')]",
- "contentId": "[variables('_analyticRulecontentId6')]",
+ "description": "Flare Analytics Rule 2",
+ "parentId": "[variables('analyticRuleObject2').analyticRuleId2]",
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion6')]",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]",
"source": {
"kind": "Solution",
"name": "Flare",
@@ -1069,48 +1133,48 @@
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2022-02-01",
- "name": "[variables('analyticRuleTemplateSpecName7')]",
+ "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "AnalyticsRule"
},
"properties": {
- "description": "Flare Analytics Rule 7 with template",
+ "description": "Flare Analytics Rule 3 with template",
"displayName": "Flare Analytics Rule template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2022-02-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName7'),'/',variables('analyticRuleVersion7'))]",
+ "name": "[concat(variables('analyticRuleObject3').analyticRuleTemplateSpecName3,'/',variables('analyticRuleObject3').analyticRuleVersion3)]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "AnalyticsRule"
},
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName7'))]"
+ "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject3').analyticRuleTemplateSpecName3)]"
],
"properties": {
- "description": "FlarePaste_AnalyticalRules Analytics Rule with template version 2.1.0",
+ "description": "FlareDork_AnalyticalRules Analytics Rule with template version 2.2.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion7')]",
+ "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId7')]",
- "apiVersion": "2022-04-01-preview",
+ "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Result found on code Snippet (paste) sharing platform",
- "displayName": "Flare Paste result",
+ "description": "Results using a dork on google was found",
+ "displayName": "Flare Google Dork result found",
"enabled": false,
- "query": "Firework_CL\n| where source_s in (\"gist_github\",\"Pastebin\",\"driller_stackexchange\") and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
+ "query": "Firework_CL\n| extend source = column_ifexists(\"source_s\", \"\")\n| extend risk_score = column_ifexists(\"risk_score_d\", 0.0)\n| where source contains \"google_search\"\n| where risk_score >= 3\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
@@ -1121,10 +1185,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "Flare",
"dataTypes": [
"Firework_CL"
- ],
- "connectorId": "Flare"
+ ]
}
],
"tactics": [
@@ -1138,13 +1202,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]",
"properties": {
- "description": "Flare Analytics Rule 7",
- "parentId": "[variables('analyticRuleId7')]",
- "contentId": "[variables('_analyticRulecontentId7')]",
+ "description": "Flare Analytics Rule 3",
+ "parentId": "[variables('analyticRuleObject3').analyticRuleId3]",
+ "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion7')]",
+ "version": "[variables('analyticRuleObject3').analyticRuleVersion3]",
"source": {
"kind": "Solution",
"name": "Flare",
@@ -1169,48 +1233,48 @@
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2022-02-01",
- "name": "[variables('analyticRuleTemplateSpecName8')]",
+ "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "AnalyticsRule"
},
"properties": {
- "description": "Flare Analytics Rule 8 with template",
+ "description": "Flare Analytics Rule 4 with template",
"displayName": "Flare Analytics Rule template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2022-02-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName8'),'/',variables('analyticRuleVersion8'))]",
+ "name": "[concat(variables('analyticRuleObject4').analyticRuleTemplateSpecName4,'/',variables('analyticRuleObject4').analyticRuleVersion4)]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "AnalyticsRule"
},
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName8'))]"
+ "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject4').analyticRuleTemplateSpecName4)]"
],
"properties": {
- "description": "FlareSourceCode_AnalyticalRules Analytics Rule with template version 2.1.0",
+ "description": "FlareHost_AnalyticalRules Analytics Rule with template version 2.2.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion8')]",
+ "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId8')]",
- "apiVersion": "2022-04-01-preview",
+ "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Result found on Code Sharing platform",
- "displayName": "Flare Source Code found",
+ "description": "Results found relating to IP, domain or host",
+ "displayName": "Flare Host result",
"enabled": false,
- "query": "Firework_CL\n| where source_s contains \"driller_github\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
+ "query": "Firework_CL\n| extend source = column_ifexists(\"source_s\", \"\")\n| extend risk_score = column_ifexists(\"risk_score_d\", 0.0)\n| where source contains \"driller_shodan\"\n| where risk_score >= 3\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
@@ -1221,30 +1285,30 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "Flare",
"dataTypes": [
"Firework_CL"
- ],
- "connectorId": "Flare"
+ ]
}
],
"tactics": [
"Reconnaissance"
],
"techniques": [
- "T1593"
+ "T1596"
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]",
"properties": {
- "description": "Flare Analytics Rule 8",
- "parentId": "[variables('analyticRuleId8')]",
- "contentId": "[variables('_analyticRulecontentId8')]",
+ "description": "Flare Analytics Rule 4",
+ "parentId": "[variables('analyticRuleObject4').analyticRuleId4]",
+ "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion8')]",
+ "version": "[variables('analyticRuleObject4').analyticRuleVersion4]",
"source": {
"kind": "Solution",
"name": "Flare",
@@ -1269,48 +1333,48 @@
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2022-02-01",
- "name": "[variables('analyticRuleTemplateSpecName9')]",
+ "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "AnalyticsRule"
},
"properties": {
- "description": "Flare Analytics Rule 9 with template",
+ "description": "Flare Analytics Rule 5 with template",
"displayName": "Flare Analytics Rule template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2022-02-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName9'),'/',variables('analyticRuleVersion9'))]",
+ "name": "[concat(variables('analyticRuleObject5').analyticRuleTemplateSpecName5,'/',variables('analyticRuleObject5').analyticRuleVersion5)]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "AnalyticsRule"
},
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName9'))]"
+ "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject5').analyticRuleTemplateSpecName5)]"
],
"properties": {
- "description": "FlareSSLcert_AnalyticalRules Analytics Rule with template version 2.1.0",
+ "description": "FlareInfectedDevice_AnalyticalRules Analytics Rule with template version 2.2.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion9')]",
+ "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId9')]",
- "apiVersion": "2022-04-01-preview",
+ "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "SSL Certificate registration found",
- "displayName": "Flare SSL Certificate result",
+ "description": "Infected Device found on darkweb or Telegram",
+ "displayName": "Flare Infected Device",
"enabled": false,
- "query": "Firework_CL\n| where source_s contains \"certstream\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
+ "query": "Firework_CL\n| extend category_name = column_ifexists(\"category_name_s\", \"\")\n| extend source = column_ifexists(\"source_s\", \"\")\n| extend risk_score = column_ifexists(\"risk_score_d\", 0.0)\n| where category_name contains \"Infected Device\" or source == \"genesis_market\"\n| where risk_score >= 3\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
@@ -1321,30 +1385,30 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "Flare",
"dataTypes": [
"Firework_CL"
- ],
- "connectorId": "Flare"
+ ]
}
],
"tactics": [
- "ResourceDevelopment"
+ "CredentialAccess"
],
"techniques": [
- "T1583"
+ "T1555"
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]",
"properties": {
- "description": "Flare Analytics Rule 9",
- "parentId": "[variables('analyticRuleId9')]",
- "contentId": "[variables('_analyticRulecontentId9')]",
+ "description": "Flare Analytics Rule 5",
+ "parentId": "[variables('analyticRuleObject5').analyticRuleId5]",
+ "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion9')]",
+ "version": "[variables('analyticRuleObject5').analyticRuleVersion5]",
"source": {
"kind": "Solution",
"name": "Flare",
@@ -1361,342 +1425,90 @@
"link": "https://flare.io/company/contact/"
}
}
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2022-02-01",
- "name": "[variables('playbookTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
- "properties": {
- "description": "credential-warning playbook",
- "displayName": "credential-warning playbook"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2022-02-01",
- "name": "[concat(variables('playbookTemplateSpecName1'),'/',variables('playbookVersion1'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
- "dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName1'))]"
- ],
- "properties": {
- "description": "credential-warning Playbook with template version 2.1.0",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('playbookVersion1')]",
- "parameters": {
- "PlaybookName": {
- "defaultValue": "credential-warning",
- "type": "string"
- }
- },
- "variables": {
- "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]",
- "o365ConnectionName": "[[concat('o365-', parameters('PlaybookName'))]",
- "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
- "_connection-1": "[[variables('connection-1')]",
- "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]",
- "_connection-2": "[[variables('connection-2')]",
- "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
- "workspace-name": "[parameters('workspace')]",
- "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
- },
- "resources": [
- {
- "type": "Microsoft.Web/connections",
- "apiVersion": "2016-06-01",
- "name": "[[variables('AzureSentinelConnectionName')]",
- "location": "[[variables('workspace-location-inline')]",
- "kind": "V1",
- "properties": {
- "displayName": "[[variables('AzureSentinelConnectionName')]",
- "parameterValueType": "Alternative",
- "api": {
- "id": "[[variables('_connection-1')]"
- }
- }
- },
- {
- "type": "Microsoft.Web/connections",
- "apiVersion": "2016-06-01",
- "name": "[[variables('o365ConnectionName')]",
- "location": "[[variables('workspace-location-inline')]",
- "properties": {
- "displayName": "[[parameters('PlaybookName')]",
- "api": {
- "id": "[[variables('_connection-2')]"
- }
- }
- },
- {
- "type": "Microsoft.Logic/workflows",
- "apiVersion": "2017-07-01",
- "name": "[[parameters('PlaybookName')]",
- "location": "[[variables('workspace-location-inline')]",
- "tags": {
- "LogicAppsCategory": "security",
- "hidden-SentinelTemplateName": "PlaybookName",
- "hidden-SentinelTemplateVersion": "1.0",
- "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
- },
- "identity": {
- "type": "SystemAssigned"
- },
- "dependsOn": [
- "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
- "[[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]"
- ],
- "properties": {
- "state": "Disabled",
- "definition": {
- "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
- "parameters": {
- "$connections": {
- "type": "Object"
- }
- },
- "actions": {
- "For_each": {
- "actions": {
- "For_each_2": {
- "actions": {
- "For_each_3": {
- "actions": {
- "Send_an_email_(V2)": {
- "inputs": {
- "body": {
- "Body": "Hello,
\n
\nThis is a message to warn you we believe a password you had been using has been leaked online, as part of a data breach.
\n
\nIf the following password is one you are still using commonly, we recommend changing it as soon as possible.
\n
\n@{items('For_each_3')['hash']}
\n
\nIn addition we want to remind you not to use your corporate email address to register to services outside of work.
\n
\nCordially,
\n
\nSecurity Team
\n
",
- "Subject": "Possible compromised password",
- "To": "blank@flare.systems"
- },
- "host": {
- "connection": {
- "name": "@parameters('$connections')['office365']['connectionId']"
- }
- },
- "method": "post",
- "path": "/v2/Mail"
- },
- "type": "ApiConnection"
- }
- },
- "foreach": "@items('For_each_2')['passwords']",
- "type": "Foreach"
- }
- },
- "foreach": "@body('Parse_JSON')",
- "runAfter": {
- "Parse_JSON": [
- "Succeeded"
- ]
- },
- "type": "Foreach"
- },
- "Parse_JSON": {
- "inputs": {
- "content": "@items('For_each')",
- "schema": {
- "items": {
- "properties": {
- "name": {
- "type": "string"
- },
- "passwords": {
- "items": {
- "properties": {
- "extra": {
- "type": "object"
- },
- "hash": {
- "type": "string"
- },
- "hash_type": {
- "type": "string"
- },
- "id": {
- "type": "integer"
- },
- "imported_at": {
- "type": "string"
- },
- "source_id": {
- "type": "string"
- },
- "source_params": {
- "properties": {
- "line": {
- "type": "integer"
- }
- },
- "type": "object"
- }
- },
- "required": [
- "id",
- "hash",
- "hash_type",
- "extra",
- "domain",
- "source_id",
- "source_params",
- "imported_at"
- ],
- "type": "object"
- },
- "type": "array"
- }
- },
- "required": [
- "name",
- "passwords"
- ],
- "type": "object"
- },
- "type": "array"
- }
- },
- "type": "ParseJson"
- }
- },
- "foreach": "@variables('leaks')['leaked_credentials']",
- "runAfter": {
- "Initialize_variable": [
- "Succeeded"
- ]
- },
- "type": "Foreach"
- },
- "Initialize_variable": {
- "inputs": {
- "variables": [
- {
- "name": "leaks",
- "type": "object",
- "value": "@json(body('Parse_JSON_2')['Custom Details'])"
- }
- ]
- },
- "runAfter": {
- "Parse_JSON_2": [
- "Succeeded"
- ]
- },
- "type": "InitializeVariable"
- },
- "Parse_JSON_2": {
- "inputs": {
- "content": "@triggerBody()?['ExtendedProperties']",
- "schema": {
- "properties": {
- "Analytic Rule Ids": {
- "type": "string"
- },
- "Analytic Rule Name": {
- "type": "string"
- },
- "Custom Details": {
- "type": "string"
- },
- "Data Sources": {
- "type": "string"
- },
- "Event Grouping": {
- "type": "string"
- },
- "ProcessedBySentinel": {
- "type": "string"
- },
- "Query": {
- "type": "string"
- },
- "Query End Time UTC": {
- "type": "string"
- },
- "Query Period": {
- "type": "string"
- },
- "Query Start Time UTC": {
- "type": "string"
- },
- "Search Query Results Overall Count": {
- "type": "string"
- },
- "Trigger Operator": {
- "type": "string"
- },
- "Trigger Threshold": {
- "type": "string"
- }
- },
- "type": "object"
- }
- },
- "type": "ParseJson"
- }
- },
- "contentVersion": "1.0.0.0",
- "triggers": {
- "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
- "inputs": {
- "body": {
- "callback_url": "@{listCallbackUrl()}"
- },
- "host": {
- "connection": {
- "name": "@parameters('$connections')['azuresentinel']['connectionId']"
- }
- },
- "path": "/subscribe"
- },
- "type": "ApiConnectionWebhook"
- }
- }
- },
- "parameters": {
- "$connections": {
- "value": {
- "azuresentinel": {
- "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
- "connectionName": "[[variables('AzureSentinelConnectionName')]",
- "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
- "connectionProperties": {
- "authentication": {
- "type": "ManagedServiceIdentity"
- }
- }
- },
- "office365": {
- "connectionId": "[[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]",
- "connectionName": "[[variables('o365ConnectionName')]",
- "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]"
- }
- }
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/templateSpecs",
+ "apiVersion": "2022-02-01",
+ "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]",
+ "location": "[parameters('workspace-location')]",
+ "tags": {
+ "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
+ "hidden-sentinelContentType": "AnalyticsRule"
+ },
+ "properties": {
+ "description": "Flare Analytics Rule 6 with template",
+ "displayName": "Flare Analytics Rule template"
+ }
+ },
+ {
+ "type": "Microsoft.Resources/templateSpecs/versions",
+ "apiVersion": "2022-02-01",
+ "name": "[concat(variables('analyticRuleObject6').analyticRuleTemplateSpecName6,'/',variables('analyticRuleObject6').analyticRuleVersion6)]",
+ "location": "[parameters('workspace-location')]",
+ "tags": {
+ "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
+ "hidden-sentinelContentType": "AnalyticsRule"
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject6').analyticRuleTemplateSpecName6)]"
+ ],
+ "properties": {
+ "description": "FlarePaste_AnalyticalRules Analytics Rule with template version 2.2.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
+ "apiVersion": "2023-02-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "Result found on code Snippet (paste) sharing platform",
+ "displayName": "Flare Paste result",
+ "enabled": false,
+ "query": "Firework_CL\n| extend source = column_ifexists(\"source_s\", \"\")\n| extend risk_score = column_ifexists(\"risk_score_d\", 0.0)\n| where source in (\"gist_github\", \"Pastebin\", \"driller_stackexchange\")\n| where risk_score >= 3\n",
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "severity": "Medium",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "connectorId": "Flare",
+ "dataTypes": [
+ "Firework_CL"
+ ]
}
- }
+ ],
+ "tactics": [
+ "Reconnaissance"
+ ],
+ "techniques": [
+ "T1593"
+ ]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]",
"properties": {
- "parentId": "[variables('playbookId1')]",
- "contentId": "[variables('_playbookContentId1')]",
- "kind": "Playbook",
- "version": "[variables('playbookVersion1')]",
+ "description": "Flare Analytics Rule 6",
+ "parentId": "[variables('analyticRuleObject6').analyticRuleId6]",
+ "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleObject6').analyticRuleVersion6]",
"source": {
"kind": "Solution",
"name": "Flare",
@@ -1714,85 +1526,189 @@
}
}
}
- ],
- "metadata": {
- "title": "credential-warning",
- "description": "This playbook monitors all data received from Firework looking for leaked credentials (email:password combinations). When found, this playbook will send an email to the email address warning their password has been leaked, recommending appropriate measures if necessary. To learn more about how to connect Firework to Microsoft Sentinel, see the [API documentation](https://docs.flared.io/azure-sentinel-integration).",
- "lastUpdateTime": "2022-07-31T00:00:00Z",
- "releaseNotes": [
- {
- "version": "1.0.0",
- "title": "credential-warning",
- "notes": [
- "Initial version"
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/templateSpecs",
+ "apiVersion": "2022-02-01",
+ "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]",
+ "location": "[parameters('workspace-location')]",
+ "tags": {
+ "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
+ "hidden-sentinelContentType": "AnalyticsRule"
+ },
+ "properties": {
+ "description": "Flare Analytics Rule 7 with template",
+ "displayName": "Flare Analytics Rule template"
+ }
+ },
+ {
+ "type": "Microsoft.Resources/templateSpecs/versions",
+ "apiVersion": "2022-02-01",
+ "name": "[concat(variables('analyticRuleObject7').analyticRuleTemplateSpecName7,'/',variables('analyticRuleObject7').analyticRuleVersion7)]",
+ "location": "[parameters('workspace-location')]",
+ "tags": {
+ "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
+ "hidden-sentinelContentType": "AnalyticsRule"
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject7').analyticRuleTemplateSpecName7)]"
+ ],
+ "properties": {
+ "description": "FlareSourceCode_AnalyticalRules Analytics Rule with template version 2.2.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
+ "apiVersion": "2023-02-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "Result found on Code Sharing platform",
+ "displayName": "Flare Source Code found",
+ "enabled": false,
+ "query": "Firework_CL\n| extend source = column_ifexists(\"source_s\", \"\")\n| extend risk_score = column_ifexists(\"risk_score_d\", 0.0)\n| where source contains \"driller_github\"\n| where risk_score >= 3\n",
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "severity": "Medium",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "connectorId": "Flare",
+ "dataTypes": [
+ "Firework_CL"
+ ]
+ }
+ ],
+ "tactics": [
+ "Reconnaissance"
+ ],
+ "techniques": [
+ "T1593"
]
}
- ]
- }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]",
+ "properties": {
+ "description": "Flare Analytics Rule 7",
+ "parentId": "[variables('analyticRuleObject7').analyticRuleId7]",
+ "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleObject7').analyticRuleVersion7]",
+ "source": {
+ "kind": "Solution",
+ "name": "Flare",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Flare Integration Team",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Flare",
+ "email": "contact@flare.io",
+ "tier": "Partner",
+ "link": "https://flare.io/company/contact/"
+ }
+ }
+ }
+ ]
}
}
},
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2022-02-01",
- "name": "[variables('workbookTemplateSpecName1')]",
+ "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Workbook"
+ "hidden-sentinelContentType": "AnalyticsRule"
},
"properties": {
- "description": "Flare Workbook with template",
- "displayName": "Flare workbook template"
+ "description": "Flare Analytics Rule 8 with template",
+ "displayName": "Flare Analytics Rule template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2022-02-01",
- "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]",
+ "name": "[concat(variables('analyticRuleObject8').analyticRuleTemplateSpecName8,'/',variables('analyticRuleObject8').analyticRuleVersion8)]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Workbook"
+ "hidden-sentinelContentType": "AnalyticsRule"
},
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]"
+ "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject8').analyticRuleTemplateSpecName8)]"
],
"properties": {
- "description": "FlareSystemsFireworkOverviewWorkbook with template version 2.1.0",
+ "description": "FlareSSLcert_AnalyticalRules Analytics Rule with template version 2.2.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('workbookVersion1')]",
+ "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.Insights/workbooks",
- "name": "[variables('workbookContentId1')]",
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
+ "apiVersion": "2023-02-01-preview",
+ "kind": "Scheduled",
"location": "[parameters('workspace-location')]",
- "kind": "shared",
- "apiVersion": "2021-08-01",
- "metadata": {
- "description": "Select the time range for this Overview."
- },
"properties": {
- "displayName": "[parameters('workbook1-name')]",
- "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Firework Logs by risk score\\n---\\n\\nThese are all your logs that came from Firework in the past 30 days, where each line represents a specific risk score\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Firework_CL\\n| make-series num=count() on timestamp_t from ago(30d) to now() step 8h by strcat(\\\"Risk Score \\\", tostring(toint(risk_score_d)))\\n| render timechart \",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Risk Score 2\",\"color\":\"turquoise\"},{\"seriesName\":\"Risk Score 3\",\"color\":\"yellow\"},{\"seriesName\":\"Risk Score 4\",\"color\":\"orange\"},{\"seriesName\":\"Risk Score 1\",\"color\":\"lightBlue\"}]}},\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"# Sources of all documents collected\\n\\nData per day for the last 30 days\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Firework_CL\\n| make-series num=count() on timestamp_t from ago(30d) to now() step 1d by source_name_s\\n| where isnotempty(source_name_s)\\n| render barchart \",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Firework_CL\\n| where timestamp_t >= ago(30d)\\n| summarize num=count() by source_name_s\\n| where notempty(source_name_s)\\n| render piechart \",\"size\":2,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 6\"},{\"type\":1,\"content\":{\"json\":\"# Total Leaked Credentials received\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Firework_CL\\n| where notempty(column_ifexists('data_new_leaks_s', ''))\\n| make-series Total_Leaked_Credentials=count() on timestamp_t from ago(30d) to now() step 8h \\n| render timechart\",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Total_Leaked_Credentials\",\"color\":\"redBright\"}]}},\"name\":\"query - 4\"}],\"fromTemplateId\":\"sentinel-FireworkWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
- "version": "1.0",
- "sourceId": "[variables('workspaceResourceId')]",
- "category": "sentinel"
+ "description": "SSL Certificate registration found",
+ "displayName": "Flare SSL Certificate result",
+ "enabled": false,
+ "query": "Firework_CL\n| extend source = column_ifexists(\"source_s\", \"\")\n| extend risk_score = column_ifexists(\"risk_score_d\", 0.0)\n| where source contains \"certstream\"\n| where risk_score >= 3\n",
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "severity": "Medium",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "connectorId": "Flare",
+ "dataTypes": [
+ "Firework_CL"
+ ]
+ }
+ ],
+ "tactics": [
+ "ResourceDevelopment"
+ ],
+ "techniques": [
+ "T1583"
+ ]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]",
"properties": {
- "description": "@{workbookKey=FireworkWorkbook; logoFileName=FlareSystems.svg; description=Select the time range for this Overview.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=FlareSystemsFirework; templateRelativePath=FlareSystemsFireworkOverview.json; subtitle=; provider=Flare Systems}.description",
- "parentId": "[variables('workbookId1')]",
- "contentId": "[variables('_workbookContentId1')]",
- "kind": "Workbook",
- "version": "[variables('workbookVersion1')]",
+ "description": "Flare Analytics Rule 8",
+ "parentId": "[variables('analyticRuleObject8').analyticRuleId8]",
+ "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleObject8').analyticRuleVersion8]",
"source": {
"kind": "Solution",
"name": "Flare",
@@ -1807,19 +1723,6 @@
"email": "contact@flare.io",
"tier": "Partner",
"link": "https://flare.io/company/contact/"
- },
- "dependencies": {
- "operator": "AND",
- "criteria": [
- {
- "contentId": "Firework_CL",
- "kind": "DataType"
- },
- {
- "contentId": "FlareSystemsFirework",
- "kind": "DataConnector"
- }
- ]
}
}
}
@@ -1832,7 +1735,7 @@
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "2.1.0",
+ "version": "2.2.0",
"kind": "Solution",
"contentSchemaVersion": "2.0.0",
"contentId": "[variables('_solutionId')]",
@@ -1861,59 +1764,54 @@
"version": "[variables('dataConnectorVersion1')]"
},
{
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId1')]",
- "version": "[variables('analyticRuleVersion1')]"
+ "kind": "Workbook",
+ "contentId": "[variables('_workbookContentId1')]",
+ "version": "[variables('workbookVersion1')]"
},
{
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId2')]",
- "version": "[variables('analyticRuleVersion2')]"
+ "kind": "Playbook",
+ "contentId": "[variables('_credential-warning')]",
+ "version": "[variables('playbookVersion1')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId3')]",
- "version": "[variables('analyticRuleVersion3')]"
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId4')]",
- "version": "[variables('analyticRuleVersion4')]"
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId5')]",
- "version": "[variables('analyticRuleVersion5')]"
+ "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
+ "version": "[variables('analyticRuleObject3').analyticRuleVersion3]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId6')]",
- "version": "[variables('analyticRuleVersion6')]"
+ "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
+ "version": "[variables('analyticRuleObject4').analyticRuleVersion4]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId7')]",
- "version": "[variables('analyticRuleVersion7')]"
+ "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
+ "version": "[variables('analyticRuleObject5').analyticRuleVersion5]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId8')]",
- "version": "[variables('analyticRuleVersion8')]"
+ "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
+ "version": "[variables('analyticRuleObject6').analyticRuleVersion6]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId9')]",
- "version": "[variables('analyticRuleVersion9')]"
- },
- {
- "kind": "Playbook",
- "contentId": "[variables('_credential-warning')]",
- "version": "[variables('playbookVersion1')]"
+ "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
+ "version": "[variables('analyticRuleObject7').analyticRuleVersion7]"
},
{
- "kind": "Workbook",
- "contentId": "[variables('_workbookContentId1')]",
- "version": "[variables('workbookVersion1')]"
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
+ "version": "[variables('analyticRuleObject8').analyticRuleVersion8]"
}
]
},
diff --git a/Solutions/Flare/Package/testParameters.json b/Solutions/Flare/Package/testParameters.json
new file mode 100644
index 00000000000..392dfab212e
--- /dev/null
+++ b/Solutions/Flare/Package/testParameters.json
@@ -0,0 +1,32 @@
+{
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ },
+ "workbook1-name": {
+ "type": "string",
+ "defaultValue": "FlareSystemsFirework",
+ "minLength": 1,
+ "metadata": {
+ "description": "Name for the workbook"
+ }
+ }
+}
diff --git a/Solutions/Flare/ReleaseNotes.md b/Solutions/Flare/ReleaseNotes.md
new file mode 100644
index 00000000000..219c02a2cdb
--- /dev/null
+++ b/Solutions/Flare/ReleaseNotes.md
@@ -0,0 +1,12 @@
+# Release Notes
+
+Release notes are available starting from version 2.2.0.
+Earlier versions did not have published release notes.
+
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|--------------------|
+| 2.2.0 | 11-12-2024 | Fixed Analytic Rules to handle missing columns using `column_ifexists()`. |
+| | | Fixed risk score comparisons (was comparing numbers to strings). |
+| | | Improved Analytic Rule descriptions. |
+| | | Added `ReleaseNotes.md` file. |
+| 1.0.0 | 21-10-2021 | Initial Solution Release. |