From c94d464f8c3401e1354ea36d9e39a65830cf4226 Mon Sep 17 00:00:00 2001
From: "jean-charles.verdier" <jean-charles.verdier@flare.io>
Date: Thu, 11 Dec 2025 10:57:24 -0500
Subject: [PATCH] Flare Solutions V2.2.0

- Fixed Analytic Rules to use column_ifexists() for defensive querying
- Fixed risk score comparisons (was comparing numbers to strings)
- Added ReleaseNotes.md file
---
 .../Analytic Rules/FlareCloudBucket.yaml      |    7 +-
 .../Analytic Rules/FlareCredentialLeaks.yaml  |    6 +-
 .../Flare/Analytic Rules/FlareDarkweb.yaml    |   23 -
 Solutions/Flare/Analytic Rules/FlareDork.yaml |    7 +-
 Solutions/Flare/Analytic Rules/FlareHost.yaml |    7 +-
 .../Analytic Rules/FlareInfectedDevice.yaml   |    8 +-
 .../Flare/Analytic Rules/FlarePaste.yaml      |    7 +-
 .../Flare/Analytic Rules/FlareSSLcert.yaml    |    7 +-
 .../Flare/Analytic Rules/FlareSourceCode.yaml |    7 +-
 ...nnector_REST_API_FlareSystemsFirework.json |    4 +-
 .../Data/Solution_FlareSystemsFirework.json   |    9 +-
 Solutions/Flare/Package/2.2.0.zip             |  Bin 0 -> 11444 bytes
 .../Flare/Package/createUiDefinition.json     |   48 +-
 Solutions/Flare/Package/mainTemplate.json     | 1588 ++++++++---------
 Solutions/Flare/Package/testParameters.json   |   32 +
 Solutions/Flare/ReleaseNotes.md               |   12 +
 16 files changed, 850 insertions(+), 922 deletions(-)
 delete mode 100644 Solutions/Flare/Analytic Rules/FlareDarkweb.yaml
 create mode 100644 Solutions/Flare/Package/2.2.0.zip
 create mode 100644 Solutions/Flare/Package/testParameters.json
 create mode 100644 Solutions/Flare/ReleaseNotes.md

diff --git a/Solutions/Flare/Analytic Rules/FlareCloudBucket.yaml b/Solutions/Flare/Analytic Rules/FlareCloudBucket.yaml
index 01bd158a27b..286cbf4bcf0 100644
--- a/Solutions/Flare/Analytic Rules/FlareCloudBucket.yaml	
+++ b/Solutions/Flare/Analytic Rules/FlareCloudBucket.yaml	
@@ -18,6 +18,9 @@ relevantTechniques:
   - T1593
 query: |
   Firework_CL
-  | where source_s contains "Grayhat_warfare" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 1.0.1
+  | extend source = column_ifexists("source_s", "")
+  | extend risk_score = column_ifexists("risk_score_d", 0.0)
+  | where source contains "Grayhat_warfare"
+  | where risk_score >= 3
+version: 1.0.2
 kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Flare/Analytic Rules/FlareCredentialLeaks.yaml b/Solutions/Flare/Analytic Rules/FlareCredentialLeaks.yaml
index 4f50f737d69..fe7c404c2ef 100644
--- a/Solutions/Flare/Analytic Rules/FlareCredentialLeaks.yaml	
+++ b/Solutions/Flare/Analytic Rules/FlareCredentialLeaks.yaml	
@@ -18,6 +18,8 @@ relevantTechniques:
   - T1110
 query: |
   Firework_CL
-  | where notempty(data_new_leaks_s) and source_s != 'stealer_logs_samples'
-version: 1.0.2
+  | extend data_new_leaks = column_ifexists("data_new_leaks_s", "")
+  | extend source = column_ifexists("source_s", "")
+  | where isnotempty(data_new_leaks) and source != "stealer_logs_samples"
+version: 1.0.3
 kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Flare/Analytic Rules/FlareDarkweb.yaml b/Solutions/Flare/Analytic Rules/FlareDarkweb.yaml
deleted file mode 100644
index 39128e15e0c..00000000000
--- a/Solutions/Flare/Analytic Rules/FlareDarkweb.yaml	
+++ /dev/null
@@ -1,23 +0,0 @@
-id: 9cb7c337-f173-4af6-b0e8-b6b7552d762d
-name: Flare Darkweb result
-description: |
-    'Result found on a darkweb platform'
-severity: Medium
-status: Available
-requiredDataConnectors:
-  - connectorId: Flare
-    dataTypes:
-      - Firework_CL
-queryFrequency: 1h
-queryPeriod: 1h
-triggerOperator: gt
-triggerThreshold: 0
-tactics:
-  - Reconnaissance
-relevantTechniques:
-  - T1597
-query: |
-  Firework_CL
-  | where risk_reasons_s contains "CYBERCRIME_SOURCE" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 1.0.1
-kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Flare/Analytic Rules/FlareDork.yaml b/Solutions/Flare/Analytic Rules/FlareDork.yaml
index 43a16a7f97f..76d8e962b1c 100644
--- a/Solutions/Flare/Analytic Rules/FlareDork.yaml	
+++ b/Solutions/Flare/Analytic Rules/FlareDork.yaml	
@@ -18,6 +18,9 @@ relevantTechniques:
   - T1593
 query: |
   Firework_CL
-  | where source_s contains "google_search" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 1.0.1
+  | extend source = column_ifexists("source_s", "")
+  | extend risk_score = column_ifexists("risk_score_d", 0.0)
+  | where source contains "google_search"
+  | where risk_score >= 3
+version: 1.0.2
 kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Flare/Analytic Rules/FlareHost.yaml b/Solutions/Flare/Analytic Rules/FlareHost.yaml
index 69c5b24fd50..8499764be1a 100644
--- a/Solutions/Flare/Analytic Rules/FlareHost.yaml	
+++ b/Solutions/Flare/Analytic Rules/FlareHost.yaml	
@@ -18,6 +18,9 @@ relevantTechniques:
   - T1596
 query: |
   Firework_CL
-  | where source_s contains "driller_shodan" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 1.0.1
+  | extend source = column_ifexists("source_s", "")
+  | extend risk_score = column_ifexists("risk_score_d", 0.0)
+  | where source contains "driller_shodan"
+  | where risk_score >= 3
+version: 1.0.2
 kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml b/Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml
index 3d5cc7c7709..18b4e6bc5ce 100644
--- a/Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml	
+++ b/Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml	
@@ -18,6 +18,10 @@ relevantTechniques:
   - T1555
 query: |
   Firework_CL
-  | where category_name_s contains "Infected Device" or source_s=="genesis_market" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 1.0.1
+  | extend category_name = column_ifexists("category_name_s", "")
+  | extend source = column_ifexists("source_s", "")
+  | extend risk_score = column_ifexists("risk_score_d", 0.0)
+  | where category_name contains "Infected Device" or source == "genesis_market"
+  | where risk_score >= 3
+version: 1.0.2
 kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Flare/Analytic Rules/FlarePaste.yaml b/Solutions/Flare/Analytic Rules/FlarePaste.yaml
index bd5449ff09b..009082b323d 100644
--- a/Solutions/Flare/Analytic Rules/FlarePaste.yaml	
+++ b/Solutions/Flare/Analytic Rules/FlarePaste.yaml	
@@ -18,6 +18,9 @@ relevantTechniques:
   - T1593
 query: |
   Firework_CL
-  | where source_s in ("gist_github","Pastebin","driller_stackexchange") and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 1.0.1
+  | extend source = column_ifexists("source_s", "")
+  | extend risk_score = column_ifexists("risk_score_d", 0.0)
+  | where source in ("gist_github", "Pastebin", "driller_stackexchange")
+  | where risk_score >= 3
+version: 1.0.2
 kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Flare/Analytic Rules/FlareSSLcert.yaml b/Solutions/Flare/Analytic Rules/FlareSSLcert.yaml
index b11c5d47b21..cf132ddfd81 100644
--- a/Solutions/Flare/Analytic Rules/FlareSSLcert.yaml	
+++ b/Solutions/Flare/Analytic Rules/FlareSSLcert.yaml	
@@ -18,6 +18,9 @@ relevantTechniques:
   - T1583
 query: |
   Firework_CL
-  | where source_s contains "certstream" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 1.0.1
+  | extend source = column_ifexists("source_s", "")
+  | extend risk_score = column_ifexists("risk_score_d", 0.0)
+  | where source contains "certstream"
+  | where risk_score >= 3
+version: 1.0.2
 kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Flare/Analytic Rules/FlareSourceCode.yaml b/Solutions/Flare/Analytic Rules/FlareSourceCode.yaml
index adec624539d..511f81c184b 100644
--- a/Solutions/Flare/Analytic Rules/FlareSourceCode.yaml	
+++ b/Solutions/Flare/Analytic Rules/FlareSourceCode.yaml	
@@ -18,6 +18,9 @@ relevantTechniques:
   - T1593
 query: |
   Firework_CL
-  | where source_s contains "driller_github" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 1.0.1
+  | extend source = column_ifexists("source_s", "")
+  | extend risk_score = column_ifexists("risk_score_d", 0.0)
+  | where source contains "driller_github"
+  | where risk_score >= 3
+version: 1.0.2
 kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Flare/Data Connectors/Connector_REST_API_FlareSystemsFirework.json b/Solutions/Flare/Data Connectors/Connector_REST_API_FlareSystemsFirework.json
index a02378a4b9e..254a8183040 100644
--- a/Solutions/Flare/Data Connectors/Connector_REST_API_FlareSystemsFirework.json	
+++ b/Solutions/Flare/Data Connectors/Connector_REST_API_FlareSystemsFirework.json	
@@ -70,7 +70,7 @@
             "description": "",
             "innerSteps": [
                 {
-                    "description": "As an organization administrator, authenticate on [Flare](https://app.flare.systems) and access the [team page](https://app.flare.systems#/team) to create a new alert channel."
+                    "description": "As an organization administrator, authenticate on [Flare](https://app.flare.io) and access the [alert page](https://app.flare.io/#/alerts?activeTab=alert-channels) to create a new alert channel."
                 },
                 {
                     "description": "Click on 'Create a new alert channel' and select 'Microsoft Sentinel'. Enter your Shared Key And WorkspaceID. Save the Alert Channel. \n For more help and details, see our [Azure configuration documentation](https://docs.microsoft.com/azure/sentinel/connect-data-sources).",
@@ -129,4 +129,4 @@
             "link": "https://flare.systems/company/contact/"
         }
     }
-}
\ No newline at end of file
+}
diff --git a/Solutions/Flare/Data/Solution_FlareSystemsFirework.json b/Solutions/Flare/Data/Solution_FlareSystemsFirework.json
index db0b3858daf..6edb2c3ee21 100644
--- a/Solutions/Flare/Data/Solution_FlareSystemsFirework.json
+++ b/Solutions/Flare/Data/Solution_FlareSystemsFirework.json
@@ -1,8 +1,8 @@
 {
   "Name": "Flare",
-  "Author": "Microsoft - support@microsoft.com",
+  "Author": "Flare Integration Team - support@flare.io",
   "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Flare.svg\"width=\"75px\"height=\"75px\">",
-  "Description": "The Flare Systems [Firework](https://flare.systems/firework/) solution allows you to receive data and intelligence from Firework on Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs. \n\n a .[Azure Monitor HTTP Data Collector API ](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)",
+  "Description": "The Flare Systems [Firework](https://flare.io/platform/) solution allows you to receive data and intelligence from Firework on Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs. \n\n a .[Azure Monitor HTTP Data Collector API ](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)",
   "Data Connectors": [
     "Data Connectors/Connector_REST_API_FlareSystemsFirework.json"
   ],
@@ -15,7 +15,6 @@
   "Analytic Rules": [
     "Analytic Rules/FlareCloudBucket.yaml",
     "Analytic Rules/FlareCredentialLeaks.yaml",
-    "Analytic Rules/FlareDarkweb.yaml",
     "Analytic Rules/FlareDork.yaml",
     "Analytic Rules/FlareHost.yaml",
     "Analytic Rules/FlareInfectedDevice.yaml",
@@ -24,8 +23,8 @@
     "Analytic Rules/FlareSSLcert.yaml"
   ],
   "BasePath": "C:\\GitHub\\azure-sentinel\\Solutions\\Flare",
-  "Version": "2.1.0",
+  "Version": "2.2.0",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true,
   "Is1PConnector": false
-}
\ No newline at end of file
+}
diff --git a/Solutions/Flare/Package/2.2.0.zip b/Solutions/Flare/Package/2.2.0.zip
new file mode 100644
index 0000000000000000000000000000000000000000..7d1feebe6c88bc503132cbdc778b991fd5436e2b
GIT binary patch
literal 11444
zcmZ{KV~{31)McA9ZQHhO+qP|Erfu8S)3$Bfwx+G8Ilc3K`)hY=lOL(vo4QHmoJ!r)
zJxa3R5NIGEATS_HzR|h}457dbSP&3IdJquIe^yf$b7MDib!#zm3u^~!H)}@+1{+sL
zhaH_Shb=CY?><H5d3>a;`jh6a9gG2Y%nq|Q`UHdE;jP022zVVl*>0thw30&~U(g%v
zn}r)`1X2IZwCpnXB$IDxTWhwQIl}Ovw^taV*Q!_)IqiCA;X^$O;ONnzbOy_aiJWpr
z!dD{h57OMU+bb_lKRf|!bErCq*)eFS%ppTV!b3T#gAk2_Y(1WPhM(W&E$^~SC8a23
z?P8*`J;;d*8gqK>x7ux3Xw8~d)$>tS>1i~(7Sr`;_&B&%17ngPAi^apa>LJ#0YdA*
zLqrR&dT3S(dW0%WRSWTDzsr2*=0xO7TFkF(DbsoiA7_K?k$P_|`1IqY?V`wL7c(4|
zsI|gZULNt25D{*LOn0kMNuE`Y&uB9!QD5|YXx9P#heJNE7q$;40y3(@;T6H(e41xA
zOt0Y{?VMQs4Pq9^KW66xmiAFXGSgJ%LZghMSnZKQ8sns;70-KCSSaaV0=&L%1;0a4
z9Xm?Xojigd9d#xRo@mJ7AvtYNewdVQT2EA~IqEe&;SHq#t^J8WDPVCzQs|AMoIC(e
zdV%#Ej*Qa`+8LV-^q7?pEqR?pH=<#q%!S>RW<QM!QA}VqIvW<<aYM;g$b|1$hAswq
z<mhw0NPf(=bl8z)dFR9O&yu;a+AliyH4u_gYH6M4q_JQXwu|gfGaE$(D<PDkF;~JE
zTe!iY|DK1tJP)6&HK-ie*Bn_GhrC#umt&GiN#nt=B5oT8LIsP!8si4yb&0|M;IgRT
zs<aZOrH78Ob;j}Gu2DdKiaDp_*jtpL(hDkk$Wn6h&?_;TvJ~)K;z{QhI@T_W#g&c8
z#7o!aEh=9$g-s?6r)V*g8^a6YNKiot5YCpBq-CDvk6?lo8L{dK+6<VTuYV9Psc9;V
zcQ!)Gd*ce_)PXJk*_|a9caYHSTu?e3k#|kl7bf9ROWH-!sagKYD+4cK3NYoRXp1X~
zT8J<o9D6ZRsx3(QZA@)Wh-l2@RX1~@_GjvJqSwUbKn#MiL+tyNn_nQ!ZUG5psfpA~
zLRdz5s*J}If1xpr-QbkQ{r%2S>r936Pq|?2W89yL+kw_$$!x_fkPRYAA*1=rZ80yq
zr__B&n*0`+f}gLBw3M5i&rqzj>Gt#;7rYdPw6e&iV<}1;rpTMl8a4bDD6x+gyVG`&
z!JhpVo22;B<EXP#XTcad;$Po?(f}oKTIrc8ZZRU(C*0RDL9S09v$O-$s<arQ8KlGK
zLhWD@RE4E+fvNXqg{{K6^=VwqnQ*jaC{_OTs^^p8jIpy#>J$8%U!THSlxX%1v&Zxd
z@tfaieA)c1a3QM(Ra!EG5X_y$U%-}6dh2bHN3>YX%h#Vk`Of@E@S2<jmkZLG6S0K5
zz_HQH1T~U=w*{<;AlVFXGJP1E@jS}X%YAp~=#;bZt!mO5I4P1-%Z54)ImMzV{Y70C
z{W`)VpRWUl@1mK3{abFGHDuJtGB|Rtw?{K-sNk56VMa`Abmlc%OQSkMIDu_z@vk$A
zNkux;;>J#&do$p~jTP|C3V5&ZO`-)ncWSyl%|B}e&n?pl4VSPC_o>|+PLfwfakqpp
zOA^npnurd%U*?6>qTLoe@OE$;1x#kZQwt~6wItOrS&0Ys=woSFW+=^il)*fB%AHCv
z1~;Xc_mDvNinBa<q=Ek`Cp18QLz3wf=zc}6s5cYY$Xk;1i7WHNgxe()d9G$Xe*YqV
z3K?2{oXBWcr!}=aJMuQZeKfk|TgL`Ve5(tqcP02S2hJ!B-1?LI>o;}AloJNj8xB@;
z^-8}&bV)=_Gzxk3&=phy(QwQqeJg8#M(Y8`j2cTE>OnVFKFM$qpY~3tMnI=-#TaQg
z;r1m$BQrL|>%f=(<+;l<{I#nudo!Fxvk>|&I);WheV~rE->S%fTz1ju&x3rP@CfR@
zL^N~96y0*wzU0@rkRp{;w`Cmp*^qicS1XQO&ambexnZ?1W$VZ&d2(``lcPqfCGje%
zSl0pU)Cmz`Wn?yS`jt3iUqjn^Yw~r0B~?=D<&z`cXSAC6`)>R?+YxPQqRgS}N~xQb
ztYOxPSgZUM&a?(~VNM3`ct2!aW`hIYo{iyn4cpvoj?fhw8|<^S-Az9qH59r7Yl}Pl
z<RHydH76xWOmThB9SpP0&XYNW78`YmHQd5N)%LAG5&9+mp+NoMV40-6>!o`(;mo&U
zo9U492XRn*mFTpfM<1T1fQN)&x1ejDvRw$!Rpuk2wv}v|1YVh&(L;ehy_wCsGKZbp
z)}$HLvqhvLR{5iCQhT~s_m9T+DfKdK(H-WZul!|K)oT9n>W4o8Eew`z)%w&g<_diS
z_p%on8ifLuVo^pJQGfxHDEpgh^sKlF1NX`I+h|6K?RUKO$aeKLW88?XmPJishjOPj
z(QTbFXvysp30-o`j2syvIY4N{%PHI>A>G!=5(=fSB-3Wb{oIdYJp2`524d1JWo5AM
zr(Y;#3ywj3T&rPO$t`JpZ*hl?*V&OZgAV3T^g|4IQn{`frwim7{43W+j`Vj!Mz@ig
zBZG2hQL2vF)Z-5Tv_w6SE)$XWkVu`&-{?Q~216BFuLeoY(#H?_iOQ)g79G}t6$xyB
zW)w2>9Fj{6^0yO~d-fZaj4g5GgT(sxDV*2>Ds6u{ZV5PmQG<D)jEs$kA{X4WOAoy{
zz^}Aipv+d+z~pToWHlRA<}E$f&${^Ves`HOA$y{QmtCQUi!}ciotdcQOJak_Qja@~
z&zC3T&(<Q<rZr~^hBGeme0e1kJ1rl>UmwO(zj(_I0(qrd2?<y>a16z>NONcs&Cd(c
z6FdFuVOdjxR_F%&y>B<tdOUUX67dq^JnQ@TKREQxS9tx2()ssVrxfD%L1Ix^ksEkr
zdd?8llxqPP@SO#Z&_{K3QVuJT6P3zwvkG$j=MA9>a%(b%E0GsyHy*heI%SSUsH)V<
z%?6ho?NU?1C5MB5(2BQV+5+1CTB(fABE7hlFOkGm;JOBJEKQO;DeT?kKV?goWc%`r
zSf%zw<h>))0x-vk%a!XS=B4Saym5C>`gv_tMSmsj4;tRcH*^FX8JwF0By$Fn>erAS
z$~K{yC2GDs(eg^mV|`}wN{>o{*Xc^9u6i!Z>4X=S^19`A(HY`MS%tAm)M%IN+fl^0
z_b}$j8bvL!4W!Rf{J00^NbC9^gu_>!*g9L!8(BvTAd;x@G>0Q?ifRmKKNqi+Sy6~b
zl$h4I9EMhVf1STCe1j_eAIaRb1XlwA2?z*-0w@Ubzhutd*xEtO+}_FVUrP5sY23BG
zuj>&<()VuxNCjW_)+(~Cr2Ne7<3q2cYR0BW$15^*P8Vxplq9Dz7^r|Ns;0-CIvhV3
zGGP?7(gw-ZD~%-N`zr^w&fhyA0=*&?&$ok_3Dgcf5;c)2fnNSjNPimzM+69xsqaq&
z{@RXC^bVCRa5~TPUj16(=DWf3K-5F=vO_p=m|(lBC;RxO%=m88z}@uBV2ot^O{%AK
zD$2R@CHiXk>McX&(Gc=iuvY}85F>8__DJat8qqbV)=zpAPj=GJP4*7WJs|@U^ypy=
z8Ew5>j=l6fYmf;-t=D*0ZY6P{U_QdRB+ITx<UIM3zaLLAl1z{89hgzfBl}CZg8U3L
zP$KkrnNV_P;2iKB_iD;*-6OGcteGBjH=W#P>{w>wzb{sg?KvKwGZVDa^VJ^BTT@Dh
zUz8RyWR3K*{Fyb`iXvi5VklEgfSAEK(Tu8JglM`PpZYeDOr+>{Z*=GRw%q!(E3Y8y
z##@}*-?)xHOzG|4+mh#=K^2T-0}Rbk#~}s31z3JDf?Xvj@Qwd28iRGGh=4mrQ6P+n
zmdKG;zxTwX0)VK63g$2Oq5C7-oNP4}+NK4uUpx&M_XeNb%=)rukn}52l}HV%AUBB>
zC_ux41%Z%&p+-YTLEJ}xf43|dz)apKeEM5D-qxBdzUxJwsZr^3xPI~9z`uFnz`gNu
zNMH)QoF?&r@hiYko)az~$kiu`aSo?1QxY(#A#uY;oiUkR^=<`vq#I}H*mAlOPpEwg
zaR*{lrN!;AL{P$!V8yetMw>+n8Y$e*lWxLMs><=R2ZQmmNXhs~Ro>oI5PH5Gif=`k
zUrdH3RsLkgbdiC0&b_e)R&VhO@bd8A<la`r<G;$36|qJ|EFdG(CjDBHzszOqwIY=|
zzVauVQSQ-duiM_qwVr<cG6X}ZRKC)G3yPyu!6REF_1Kicd?>LdKT-b8>ND|)jBnVn
z6EZNd&Pw<^V4L5(0G`j7d5bE^@(bGmbu>*D?y?6BjrNk+A@Gwr647@lD58r8^jle`
zUlJFrHF0(Fr?W-Qr1zqjjoN$+M|n}lA3f=G0Erx|_~G>j1rb7ZLv5`r{ORiMMZ1D!
zIsfAYAuCE{h<+C=S`0}eT4yAnK$f@qX%Y-uJ4$2gwxMV|B@Wi&)H`ZHiEpUDFQ3Qu
zuufLx#aT;2+jK2UD`TP%J`50A(mNCh{|@V$D>?12^jsI)H~N)Hd;WDIYxM<5kcYdT
z{gsm^KjAcu{&a9GixsBIKybUB!6U;VLEt+*9tQaGgO;6?*iW4ZYxpC+$JL0iJID7h
zb@v@X+Vzf5_j|Usb=L%*@ce{?SCC{)bM|hUn}_F5Os8efEHgo_M_BlAH!B~0UT)6Q
zcGFT`mz9)bdCo5PiT43AL!p73#Qs2>JP_W%Qlg$rlxdD-*afQr{SA=7-2->}WO9n9
z&McX_9PX}_%>D1*a#m06>O*ThYYhI+!E`q6b5fD?ULR-6a%R;s&FwImQ=H0l)(+|#
zN1NelH-o3HLbxg|e~MR^#!V@o>DrBQn!{!^D-G$YP@P#Ub2-FQGm(@0FKRQjtAfU0
z&Jxr#ca703fZbJ1+F#3(J=3*Q=QM}ieD*>n!*w-)+Y)`6yU8Ms27vgdo5FQgV=Cvd
zY?@ma)^!$_>8v}5`)qYunf%$<Up<-otjc^=^WT=eD5rkvGdU1{Wu10cZJ&hwrw%gU
zlZIguxDqz|Lpj<4Yyx9;jqBF9uiO#3qEV2wbYl9ByQ9(W*%G>+2c!xhBo$YZy}CiT
zRv1w)JBJmCMj_6pM5Ce5lpT5ZG>+AFC7yh%6d41JlM5kpAVXv;iR&qpIDfo=01{9+
z!w3L5WT1HdVhrf}hhU(XsmVbULR|t|hy)@UjAP$Y<F*mPzGp_|`f36mL+lX7tRo}j
zp!fRs(fM>*&#r+ev_|?k;Q*3Pk{H)EAAoowTH)?5M&TwkRaLn!FE)U}Dq*Vp`-G&W
zpqgyK?3EtUv+AWT&3n?{l(p%5!d#S5arJgryc9b}K#O@`mF?GAntz+C*E08&2bcl@
zmG|`8IBn*`{(x}*2Dm%yTp0L+JY&ac@;h)@)An8R5LF@9u<k(|F2pcB%gL)xA`st{
zIYfu8od1a_(b|jnx#9`KXGf1B<0n52MTlm~62_GvQ=jLCsT8;Ri36vBzA+3_)I5H_
z4>q#^|N2rI`wPgSxGP6+01G8TA>zX3SZ{O%W8~Qa^L;K=0v-+YDQ-~R$LT;EHv+{s
zD`^f+n)v6Kn6<jE3|YAhVBm*i=CA=*w^cPfE3@VbsVPd7I35GGUN0?!z;IAM)7b{j
zDBOWS&fjFKO|>pCMeuk!d5~h4UMDjD0-|Z8%f7oqtE$4kgkjXr{!ff#Sm{<=l5K7>
z%bf#B?J%9TJf{1IS242F9IH_pc#ri7^^d*rVgtiHy>*&zm?%vbXs+*=%8wF`^Jw24
z*(3u7tuh&QLZNd;-^s4(es$D|MeHzkIfgDYu;pH`K_fD6GGg!S6r#i{1VwsKu9B4z
z=wG|W#Cr|Sa(=WbP&t8|k<AN5oE>Ss!d}xJ@d!I$B&2R@39ql9s)&dHNphH&%uagZ
zh8$S_bW+uTs6SRsez6kksKZKh=0s%d;DhCAA!%O5-wo`}_}9hca<obDPDjzUx{f=c
zi^&A<Tl1zJ<iBOCaz$6s?Qr9X=A>vNgshz(#$sF!vw)G)R>fteBl+t$=I)_GU>}S3
zPPOz}$m+_EHa!wab5hPzmG)PgDXx){Nf_|(S;snGyMOr>orowhP=S;zjwD!}TvB0!
z91HxJ(Q3P@8Nk#e%%_8}5P%<ptA)|u@D95q;&`K*V(KG^1LADy8dxiDWB86~<d5iX
zVkf4QD&)UStmXo#F^n-}d=$M`d@6h9@rRCfRLsx3@U|(P_*Y%IzASsX5;;{;9Uju7
zG|*1g1FU}?)LQD7W<t!C4tr|U3`~Rf{n^IGK~|nEVa-`aQ6GD}?FJs0UoH#_iHtpE
z{AtL>_VWs;^MWJ!ijJ^}m{48I4oE^h`_$tVR=Xg~8Xq!ER$|EpP)<Rg{RgN1q^)ow
z--{4krO(&J5^Z6RAA_j%`=va~Iw6H@1b?Jl1Ac<@A|Q(-zJo)JV?cW8DIM)QLRUt-
zG9n#9yF`aOE+gVw2KncEnIN(S55c;{Cn^#suUkCzB<Pdlv=Brx@Lz5ZO?xuHOEwf!
z5R@I+0Nf%2uCI!3{iV5HE%0_iHXkTiBr$uVF_c!f{M~{HMX1${I6Gr3BHsnx1Mii%
z6(TSz5cElypT%%tMUa|555UljNN$NmRee@PB1h}jh0Rtx`XSH7w4?xGa<bkXDH;vJ
zEf!M08R-R!@_@YR)Lke1k|*wH4UK+*GIH$a2gLV_+H;zYx)|uDqP@@ecd9E&G7!8+
zQhJR>2<@Z1?A4k-ar|90^j&#I{Qjb5)@7(F4;h&(o1^*QD5Uzaf2f$Zz*)C|baZ}5
z0R%4NjoYNGDa>z9&<z4bcYeM9R3zap1cQuuZ>*_rYz{?okgUJ>0Sl%M^KH$9EhGs)
z{`h;?m5frWvX$U~E_xM*@+dQ$TLti@y!B_V(Wt!tzyR3+d06}i+g%#hnS}(e4B{w0
z2>ku85=Z+9c|}`1Lx>T=&rqrBAiz&FiIA`JHe_PR%XI=Yro1I4p}yILinAO7AP?o(
zYl-XU%3V9_6+y1s_`$@)!G-qi-PKcx5Pfq|zcj}TuO<UjvueM$@_|!6{X(I%>wRRj
zi5nH@{-LP(DoPvI@r(1%SjjP+Nu6{yH(UJ&AwG}~drNICI&KzlV)Coua2pb_9*B&R
zzdZz}GT`?J*--2GgkrG->r?iB+pZWd`Ya>foI{aw%^K98(}*(kaI|!ksptfV(&0uu
zJT_sR4)u|}*w8y?@tI+ZSA2C8ykqZ_13IEw?T7EPm#34abM@A%9-NYtp-W9q!h#Tg
zg0*qrFk?&m<*eehRjwi{b3#p)D7Kzx))<eMZnE-cY~LF{p2tA{9W)JCEvC`z;$Wkh
zFPs<{1|$C!+wlai<`wv>bXufEgKAonqU%+4W;^>NwW8<2Z&s#>X|J@KSafu<u|r5a
zlL5E9G~4D(re<3RH@n5D<Ar{Ks->l-Y;Jn9B~GJdwall^;#!+SlGk3ll01DO?gZy1
zQYH0DHDxs+tGW4-T0xv<Sw<ZoY2G2K&Mj&vR;%P4r!;F1$VWBHgg46sPiaJ19A=pI
zqn`ez#h+uHbfV5{)~ApyeALeDP)TZd@MBfKp^Mba!%rjKOxiG-Y3h%%RLYW7%@9@1
z;!Relq@PM{m`G&y{!=v(sjbK`&BD#(fep^i0!iblU+JPp<D%>GOUsvEk9JOf<FuMC
zx2n-6l6Fp-+H;#V;+OPnq;PH8B(rzrcG7e=e2azojg*5U045jP`vuHJ^hbThPwG}~
zA`EUKj}F36WWp&3u&rUxuI;!axxmd1JPmHVP~=^nOc3{@^D2rOd4@1_^J^EzD;EY0
z(G5)wZuAY6j*eO;&mx+uHaPKbI#-f3wUw$F|B8W&GH!$s1?^{IcG;`jCVVQ!ZjGC0
zLD@XLMNHIA6eKpEH)mFM#Dp<7{~O8)+1Gr2vAiC(`zb*|13D60E*=Asi?Z@jR?efp
z4?<i*e2|SF<b<SiQ~Q>J!g+?3Z_)g+N%nNN(|SYH*GLi#yh*=m{~&g$^;DbfhWtgp
z+DAchj{9=<TVp||!dUDs*XM<$Dh_aE)7j?NPiX^N?~wc^VJP@J>32Pby#DKtJE4Ot
z<@}_u=Xd>{4Nw<tRk!c?eQ2x~CE}m2Z6`joZO`YcVGry;qvbp7FclVP4d3t2jSiIJ
zib?*pck9OU)w_55(S}MQA_VViV3qErB#dnp*IB6p>2<hTQ8$ijM7*#->~gQyTwDP*
zFbm<m3{A?g4}n%7gcTXU<tB#j4^pFe-J7Jyt|k39r6Snp?$N|Wa%19R`RxMnRwl_>
z1TWO5ijn7P2lyRY_L}Dwuqj6Lo5TO8K9kWC*l!4pjf|og9QeZ$TlCW?=IzSa6A@M#
z%uN9F9d^Q)^bhc(2FR3*n*kft*P3XyATNkgeXO5xAvEK*e{+2eaCSQEGBR4EcBaUX
zEg7XhH)L8H@`9_E7yBLmEc&F{*Wxs?0R~g*O{B(N{oYQDGA*Bw74J{(B1ZKs@o`7|
z1~ypDvsktUk84VBL|kR@8IN5o(oo-gs$6!OBc#;OxanMmqiWmUsKco`1775JHdAoA
zQ=ZaH&2u(VV@JOumVVuos6*ahNR%+dH_tWv6BCur90b)^o2<T}oF2VtpO9a3;I>od
zZsiJ^=`v7B{;VhhKtk<JXwvK9+-7_m6@fFWSH8#Th;j))i8d-xctT;(L1Hd|%3b*Q
zA;#BYNNVi#7k>aa45>!ixvoQ2=+ktSU!5oqYmR?9Q}#C?ZaiOYoT}V<KY1)r@~#J~
zqUz9tM7*XBmmMI?1qkE-kb5E@N!<AX1B*5+-RLQAJn?uKS6jyJ06UJL{wA`Ylj`Co
zf`H_n3xj8r4v<Q-EASXV&UD!1vEq-z;Ao;dt0yZtJ3P<Bvf+Vw)1hE$jHJ79MJYPV
z6XYk|{P(h}fAxpB!ym`wd?O{05eYHcSS^YKD^x$BdZyjJGjd0yt2V1(VqHF2e~q*e
z9)<lTdF0d<{=%WNcmaQgsm|e?<ln_aJgQ4voyOJOJGM<J!RS$s0J+DP8P1+R*hOT#
z_;kX=&@E|7O^@YrV;?akIZVWv6kq%+k*oENL;d;?JF)l8<9xk`iYN+lgEJM`V8z0!
zWobytj2kvHSRqmfUsYJKTkfCxUUuG+x2Ze)nFWn^^=UHGG}AqnNb^{amw>dgn`gD2
zXGO)eU^FeSRsB(v8D=5!O0zREcS>bG75VUXIcA|+HF?Ry$d9fMT1*RTRyL;m;-`5L
z;L_$>O9Im#H$-U*H;2}H^)M1{SzDY*kDoWuw-#(-lPYF8X~RDUBOeK4M#{F~8Q=Q}
zBj1oxO)R1+ash>m6FfZ9w3*W`XYe3%#6k_3!^Evq9Cr2R$u=RB(cRjeg;5s6<}(RK
z*(ZTUlXf;gqLqB|lk7Z!53SNFmuoRo)#hF8C*^P5tMjLlYUfvjwwc!gkVoDfH(O{E
z4mmUQ9Nv=e`mVOR@8?PTV*D9SeY)Dci94cIyh`+BFex|L@OPy2^*~i0=)#yzOi*-a
z>cNxi`&A-A<S${a>*B)3mkwY~WWNOIWkT^%G91{`B+NXk8UtQ%@AVa0595!FoZp(8
zc8#IvAn+sVtcr0AAEy<G`^L+R*QM1=Pw;w%NV`bD8HcZ(rP%`jb9>gjqNPpbDj*L1
zcRlJrQo_AsnDc7vC`U$IuOrnpVKyXY9@)00QaAtw!D@v4kXn(WiszCC>H3U<{Y~F2
zcTh!_D2lVLYsIArsNJ6F-M$o*ZJ9gN1n00?xKN3e$@-McXcL7gOvIpi?gfL8?S-NJ
ze6JG!b4m+J1tZ`8d5`A)TW+M<(&Qk^ER<A|ywYwi2)-Ki9%dm9p7?xyZZ9#_aph{3
zEPpB6q>w`THmG!SwR<(~a;(JRA*H*jhHD?m^mP^<eLnSK0n`bhLXq@>lO{5YAZel<
zKE3^vSNxqz`#D+}%debg<E!TP8fRFeZ5xR&{1GHOLz4|AAs8+8Dq;*GQF(=(lzMCl
z4$e8_0>h48r}Wp?^5{(EAm^|r^g80e&A^Rg4}X;p&6Z$>beDnJ8?kHj?J#G`Hv`??
z``mtZpD2gohhX?;b}!-IM~osZG?d;lF&I7yq`y#x+;WeUR#JR21p97k0ij-I+v<iC
z>*As!er%`#s&e&0-v@}|cP;P8hmXVJa@R!mA&~8bD&&VDn4mwn>x~TwCsw4yHza<b
z#G!3s03{(!1eA9~s6?bLy_NeAvK0=D3~|FIVLww}YbR$3hdgNtT?h7aaPh*Bf)MzV
zE`eL|G~$k)mc)3xzJwkWT5=vY0;Li#;U{`69)(?!cm!GdW-?z1Gy<x9(;+zYk_bnj
z!KhpJ12AhRm(_U7II0o0Ri;%)HmaF2tke~<0ZIjoDo5RB+okJ|r__H(oHfx?A_edu
z_EK`XC#1$^=+xlr*CdWXE1`1a0YnaikRKS1*lZk6^}q8w;^!(uCqLAS9Vp~db~rL<
z`{vWwZLHH)+d2zN{}?2sg|hwv3P0A>ZQ}=PYk$M7zb|K^a2rpizy>I!wSZM4M71Cg
z_&|RL5N%eW$5L&CFo1ELps*gQs}`vlj`EtwtWY6XVEQ0xVZyhsGYkGO&lyEjuBuDJ
z_q*s<4Tf^>>vE0lAPWBOeLFeJ?O8N#eVy*Zl15*wUjK<{ucNoV-I>XaK<u!<Uc1tU
zt|`Bn)k;27a;9d(rsdGZoMVqt0H;yG`kE-LZEaUkb}bhRXWOn7u8o6b9^r+GpHR*A
zQMj&ZuDvPtJf5GlbvGeJrD3AYsdQM0STCA}pUw}Sj=M&5dA{*ep^#rTR%Yi)=rt>h
zJ#-r55TV{LPA!@xGo5nR5-W#g@UrImq$Q{lS6tw7#fC)rWz@)?hGRjy)uOs3A8C)z
z^i4-hEqc?Jq~S$RrmE%74L&<f`;Wt?n$on>MOh1Jesk@qL+>~!Fsnb$!}g}L4I|kk
z94ht;?)uUQGYwf3OELsf07>7EbOpNeo^Dn&&my^xZwzw>)9dh8mAo`4wJLCmef%(~
zRii{Hl~an%H-j45{@*Lqi^ALHE7x=wvuitxo)sxPdg8bI8I;NoSF)vTsgnTeVu{cp
z3~-L9aCHP73vsm+1%{e8jQWqAYFh#@xb#aK)+dhcVe7NnyTs)ObLISekHvCCp!A3X
zv2foAn3^mYE2=e_PiHbCH-0=U^tzwtZJ)rEAL3d<*Km(Q%(zO)`0QDoX;LeL-_;Dc
z`}{|y<a}x>xc(GX-TYG~D4N+`jXT7J_;ZJ^CS^$R(Qtm(?JeQH3q`6qq`m*?ZXI{<
z)>p*G4qwOAB`YFvuj<>QXH+k6=Pv2g(2+6U0%9#hHS|bOc#jh$$U~9+8yC!SUYRQe
zC^pT9o!1uJ^qKCI0CbH%=h((l$}rS=Pg>Ra=*x8?p_ta~(PC>|sKSeWhw3bScFgZj
zP*l_$qkzxzu@zqxk{%qoMLk5k3qVC?GE4|GOMos=v4Lus#jC(Qgi`xa^peuFK5o_^
z1#ZQ?{us92K{(ycg9N;mjED2a{(7ecdH@CJF)bS+dRHUcH^sG=y!Tp2YVy;v%ux_y
zS-Qd@DJo+@%1QG3k`Kgqs~eZ6T+F%aL&M=}lEP2~%eew2&%{ctbML6~TY6d{*hRmq
zq}gUmQ+_2{lEFze-#OE`)?xs~bm{NNa5?af<TD;z(95M5+T3gzN68eASjX*z8;>4}
zY|^X0Mx?ARL1d9Bv#G|X8MnH)FklZyJe`Nn9yQ)~EtEgl>wF{r=okVM@ZehdZVE5`
zOw@dRcZOa%!$%Rd$`sPk4Kh30<2oO>Y+uA0CU0WNal~&EBknl(zW8gW?Gp)1feHNZ
zYujRgZXFPaYnrG&g$GxB4ty0Z(-FUhw)lQR5mJuF9S=9?w?m|+vjP31yE}yxWZa$Y
zT!r{pMZqc9Lcc`lAJU^bKF+?0cU2B1h(hGfa2u_vL68}O5pfBMApL`Wz3~n|9lPY#
zi+!9)wly)?n0CVmddCY4I@{ZOY5W6)rDNbpPz9ipa~@ZA5hnOM3wBXI*qs{4K)UES
zBAaHFfiHLep6Tyz3tQ(yWIC8_ew(+Vs1epP_F)C|aNDgY5>Dn-LPEW{x-8xgO|`tO
z8C))~F;HB@IW0HOmzQTl*EI;g15f(l0}#+;TQ6ImMGY+7^VM#Ce$}tcy~5s*3Ny!>
z3I~!_y%!GM$yKMCF_bH7AL5VFF^d~d*0a2EVLsz4VNDX+EnHW~h#nZhVA?I$*%Y4}
z@pQ;3-tCztf^$L2JVlE`ixF2enmm&|=6jJGSZB*J)x=oGm^yD#Q@l~-RpRZzDF2e(
zG52ons9iwFqhvkRyiyI^k+i~+f)hYpM9<x<QugyM!0M@@v@qn2diFQ*GhPR-K1|GR
z!PRr~7uNxTgO2!@Mqf+0x~?9BLv`gIKf($k5D|!>c_`seQy%;d_N*)D!k2Hv?KSKd
za$xf!Zd_CDxLZK_2nn!B5)?YbxyNVU`m=Sj2QN!uJU(a=#E0ZQimQR>d@+5@O5=zq
z=QsJ;w!mvq8p{y%+i;?ds<BA?Oh>RXedqNW0yh$AW&X%Iyi9pmv80v31ev`B!xFU2
zp_sNY0zLqE%xrnh(+w6<cT8_uqjZ2fVgAPJO*fOEw+{B5&J#-U?W<%dP$puu$2=?_
zBadQvxFl#X5;trQJgzG4ycwDreph)>W!~59!TnbpS<#=gZGDGlaAO_}&;YLur{mbp
zZt3B$Z{8e=o7xmpuF~alftTb6Bh44AU#xN(^U1z`-~iR|Vf>*5KufhTBHt2Y>)yrC
zvPP&@Yb<B3PYPJQLkaU5*q2Gfa^z@Vq-EP@LEXc0BA3e`52(F6r{4bT5?FPL(q9?1
zl6jXVBxOtTe;x~|U4}GwQ8X^)g(Yl_$N6gGtk^?I5`sGeG1$O`;rq$w1+a{+v1>>z
z@7KVndKe5mf4Q7bbpSd=*H)wJPdJQeIylap%hX|anqWDpx|Ob;c4N4W%u+?^>=e=J
zx}884&`P2UY%ExO^vKVr7Gs9hszu4LcP81B;Os77=v&9t{yRK%=L5#{ZaO>wZQ{m4
zltwaCL)YREH@yzUfFmXmK67AN(sXo`=zvScyg@?!*ALpkhe#K-DBSe~xzq#=@WOe3
zecmL7EHlRDDZnl<rBh1A1GCp9el?~9k6l#d2e?C2$?|6MT2RUQhRDBbB{PpM=>{P?
zX&?ON*|j5VgH3Yz985@&Q3gn;G|Gz&@$QmP&m^YEys(L@{GA<^6?ju6>&lKT!Nb(C
z&x~|DpCDA=qg#P>46Ci(qUuJ%WsY0!QE9b;tInMfygYKb6uykiV8Z;+g)omU=*EIL
zaf>dfMi-vA>D9cs&q7W)vVe&)?w3bS(eb_4K|<rjrLu94F0eyR!3-$KQG3;=%)Z{@
z5LQw!zzR~KrdffJX^ph<qSS>b<qlGr$SZ@HOcf-FBfHTB<BaMxqAQh(;>4BZrf%N*
z4{SPe3@<d9&qEG$%*PK&76`nPG%q7bY<<@wh6HOjdatNpa%@%sLJ-T?b*ai>o4EIC
zuoP)Ty&(%0wLfhEFZVD9+w&Q(VoJ;zCchMqF}gQ`I2li=7A7VpFnYCV{gQX?>b8^F
zhd3!`_Hl;-vIjX^TEAQRIXx^imoG7THwHNwL3+7soZb~Uw;CM4_HufeUdvR}Di5;l
zP#5kL+V13CU(1sC<qxuL>5gS3?4v?Fo0PMcM4ISX?|)7OXa}$(xWabcTO%PwdVp&|
z`bx<$@hw3sQj8-Xz1+p>h~s9#i~2WjImQAKf|*m3H<+%Z<h`Z7?i{7lVuok=-<C3s
ze#@z}_1J-?)9*JfY_M!SO8g1cZRCAU_3gB1KWWC^{*R^YrK`O?80{mo2LD((NUz&|
z0@+V*iLS7@VZl2nzn|8G3Dx!=OSk`rr5hLy)(CC?v2@#|Si*f`J3XcYP5REll)*Bz
z^*^3QcLb~#XPYypIbDRr+P&A%Gv}ayGw5QO!xv-0*&C<O$EaXROgQ|5e<RB{rOATn
zKlqJPbad}^jL>*d|G^JmY-gN;2~wP+$z^z!eZ9{Ss61<k74skbO#cJ_nJ!i-cg#Qd
zN0}yPc*F0~{aj@eUmZBYTnwz*%_(}Bu_k9`c->%6B+=pqh!luWNgLBHcYb9%+Mq6}
zv!Ow%g(T$cUtkDtkWkGb2*X0Y(0daRz#IM6B93wC4OL!+FE#`2(E|Num?phhu|}Bo
z%a~+pcD(4BqH@vES~^3OTbU-82B@ZNWqs*8num0beXZe{&)8GxGPEKCu=z*c*MW#j
zv1m5g(>4p0Xn^iRoY7Fj-hJ7S_7||Vv;=SAHSO_Lc&*!&ZlkGFt2QB7%u^P46+*WN
zHKe_X+bsGr>;_E1zM1yL9GOAt+82FOWU0)Ox1BC6Dg7Q3h+(}B{o*6ddO&GbL|T+h
zL7F?p97I4Vu_@4<;vQ>7+u_ssdQ`OU<*xf?KKJ<5?+n>B|NV$Z6dKc;T$GX1>M}!Z
zM<lt@R*=!P35pl+ar{^VRCt2hP4_!|TlF2bhO86fyZ8H}-_jk#i<|G&`&=ukGe8cl
z$hYSM4Xf!ixgU9^%NXehc>(gDDc}R{(*t)-mK8-Z1>Tz<*GElmH|zk{DWNm>#<)EF
zfei(k))ZrO|5Z<lW#wkCW2q<Q4vZ$47{?$tPx4TQ`80$F=1!Gvf!#8RYjTOolL}t6
zNY+H(r<&oUc=#0Isk&^-gcW<*3=7HU`C{c8TuBxb3=RDMuMPgEDEXgO68PWn|4|D6
p-$DLwP0Ifc0RmDIIP*_-{QoFalw={H{#yd}uZR2_ap?Y={Vz&@2)6(L

literal 0
HcmV?d00001

diff --git a/Solutions/Flare/Package/createUiDefinition.json b/Solutions/Flare/Package/createUiDefinition.json
index 366f4c39797..0b7990caa69 100644
--- a/Solutions/Flare/Package/createUiDefinition.json
+++ b/Solutions/Flare/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Flare/Data%20Connectors/Logo/Flare.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nFlare identifies your company’s digital assets made publicly available due to human error or malicious attacks. \n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 9, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Flare.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Flare/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Flare Systems [Firework](https://flare.io/platform/) solution allows you to receive data and intelligence from Firework on Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs. \n\n a .[Azure Monitor HTTP Data Collector API ](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 8, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -64,7 +64,7 @@
             }
           },
           {
-            "name": "dataconnectors-link2",
+            "name": "dataconnectors-link1",
             "type": "Microsoft.Common.TextBlock",
             "options": {
               "link": {
@@ -146,13 +146,13 @@
           {
             "name": "analytic1",
             "type": "Microsoft.Common.Section",
-            "label": "Flare Leaked Credentials",
+            "label": "Flare Cloud bucket result",
             "elements": [
               {
                 "name": "analytic1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Searches for Flare Leaked Credentials"
+                  "text": "Results found on an publicly available cloud bucket"
                 }
               }
             ]
@@ -160,13 +160,13 @@
           {
             "name": "analytic2",
             "type": "Microsoft.Common.Section",
-            "label": "Flare Cloud bucket result",
+            "label": "Flare Leaked Credentials",
             "elements": [
               {
                 "name": "analytic2-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Results found on an publicly available cloud bucket"
+                  "text": "Searches for Flare Leaked Credentials"
                 }
               }
             ]
@@ -174,24 +174,10 @@
           {
             "name": "analytic3",
             "type": "Microsoft.Common.Section",
-            "label": "Flare Darkweb result",
-            "elements": [
-              {
-                "name": "analytic3-text",
-                "type": "Microsoft.Common.TextBlock",
-                "options": {
-                  "text": "Result found on a darkweb platform"
-                }
-              }
-            ]
-          },
-          {
-            "name": "analytic4",
-            "type": "Microsoft.Common.Section",
             "label": "Flare Google Dork result found",
             "elements": [
               {
-                "name": "analytic4-text",
+                "name": "analytic3-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
                   "text": "Results using a dork on google was found"
@@ -200,12 +186,12 @@
             ]
           },
           {
-            "name": "analytic5",
+            "name": "analytic4",
             "type": "Microsoft.Common.Section",
             "label": "Flare Host result",
             "elements": [
               {
-                "name": "analytic5-text",
+                "name": "analytic4-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
                   "text": "Results found relating to IP, domain or host"
@@ -214,12 +200,12 @@
             ]
           },
           {
-            "name": "analytic6",
+            "name": "analytic5",
             "type": "Microsoft.Common.Section",
             "label": "Flare Infected Device",
             "elements": [
               {
-                "name": "analytic6-text",
+                "name": "analytic5-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
                   "text": "Infected Device found on darkweb or Telegram"
@@ -228,12 +214,12 @@
             ]
           },
           {
-            "name": "analytic7",
+            "name": "analytic6",
             "type": "Microsoft.Common.Section",
             "label": "Flare Paste result",
             "elements": [
               {
-                "name": "analytic7-text",
+                "name": "analytic6-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
                   "text": "Result found on code Snippet (paste) sharing platform"
@@ -242,12 +228,12 @@
             ]
           },
           {
-            "name": "analytic8",
+            "name": "analytic7",
             "type": "Microsoft.Common.Section",
             "label": "Flare Source Code found",
             "elements": [
               {
-                "name": "analytic8-text",
+                "name": "analytic7-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
                   "text": "Result found on Code Sharing platform"
@@ -256,12 +242,12 @@
             ]
           },
           {
-            "name": "analytic9",
+            "name": "analytic8",
             "type": "Microsoft.Common.Section",
             "label": "Flare SSL Certificate result",
             "elements": [
               {
-                "name": "analytic9-text",
+                "name": "analytic8-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
                   "text": "SSL Certificate registration found"
diff --git a/Solutions/Flare/Package/mainTemplate.json b/Solutions/Flare/Package/mainTemplate.json
index 1448a2b0f2e..ee649188214 100644
--- a/Solutions/Flare/Package/mainTemplate.json
+++ b/Solutions/Flare/Package/mainTemplate.json
@@ -38,10 +38,10 @@
     }
   },
   "variables": {
-    "solutionId": "flaresystmesinc1617114736428.flare-systems-firework-sentinel",
-    "_solutionId": "[variables('solutionId')]",
     "email": "support@flare.io",
     "_email": "[variables('email')]",
+    "solutionId": "flaresystmesinc1617114736428.flare-systems-firework-sentinel",
+    "_solutionId": "[variables('solutionId')]",
     "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
     "uiConfigId1": "Flare",
     "_uiConfigId1": "[variables('uiConfigId1')]",
@@ -51,51 +51,11 @@
     "_dataConnectorId1": "[variables('dataConnectorId1')]",
     "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
     "dataConnectorVersion1": "1.0.0",
-    "analyticRuleVersion1": "1.0.2",
-    "analyticRulecontentId1": "9cb7c337-f170-4af6-b0e8-b6b7552d762d",
-    "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
-    "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
-    "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1')))]",
-    "analyticRuleVersion2": "1.0.1",
-    "analyticRulecontentId2": "9cb7c337-f172-4af6-b0e8-b6b7552d762d",
-    "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
-    "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
-    "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2')))]",
-    "analyticRuleVersion3": "1.0.1",
-    "analyticRulecontentId3": "9cb7c337-f173-4af6-b0e8-b6b7552d762d",
-    "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]",
-    "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]",
-    "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3')))]",
-    "analyticRuleVersion4": "1.0.1",
-    "analyticRulecontentId4": "9cb7c337-f174-4af6-b0e8-b6b7552d762d",
-    "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]",
-    "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]",
-    "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4')))]",
-    "analyticRuleVersion5": "1.0.1",
-    "analyticRulecontentId5": "9cb7c337-f175-4af6-b0e8-b6b7552d762d",
-    "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]",
-    "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]",
-    "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5')))]",
-    "analyticRuleVersion6": "1.0.1",
-    "analyticRulecontentId6": "9cb7c337-f176-4af6-b0e8-b6b7552d762d",
-    "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]",
-    "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]",
-    "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6')))]",
-    "analyticRuleVersion7": "1.0.1",
-    "analyticRulecontentId7": "9cb7c337-f177-4af6-b0e8-b6b7552d762d",
-    "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]",
-    "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]",
-    "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7')))]",
-    "analyticRuleVersion8": "1.0.1",
-    "analyticRulecontentId8": "9cb7c337-f178-4af6-b0e8-b6b7552d762d",
-    "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]",
-    "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]",
-    "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8')))]",
-    "analyticRuleVersion9": "1.0.1",
-    "analyticRulecontentId9": "9cb7c337-f179-4af6-b0e8-b6b7552d762d",
-    "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]",
-    "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]",
-    "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9')))]",
+    "workbookVersion1": "1.0.0",
+    "workbookContentId1": "FireworkWorkbook",
+    "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
+    "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]",
+    "_workbookContentId1": "[variables('workbookContentId1')]",
     "credential-warning": "credential-warning",
     "_credential-warning": "[variables('credential-warning')]",
     "playbookVersion1": "1.0",
@@ -103,11 +63,54 @@
     "_playbookContentId1": "[variables('playbookContentId1')]",
     "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]",
     "playbookTemplateSpecName1": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1')))]",
-    "workbookVersion1": "1.0.0",
-    "workbookContentId1": "FireworkWorkbook",
-    "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
-    "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]",
-    "_workbookContentId1": "[variables('workbookContentId1')]"
+    "analyticRuleObject1": {
+      "analyticRuleVersion1": "1.0.2",
+      "_analyticRulecontentId1": "9cb7c337-f172-4af6-b0e8-b6b7552d762d",
+      "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f172-4af6-b0e8-b6b7552d762d')]",
+      "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f172-4af6-b0e8-b6b7552d762d'))]"
+    },
+    "analyticRuleObject2": {
+      "analyticRuleVersion2": "1.0.3",
+      "_analyticRulecontentId2": "9cb7c337-f170-4af6-b0e8-b6b7552d762d",
+      "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f170-4af6-b0e8-b6b7552d762d')]",
+      "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f170-4af6-b0e8-b6b7552d762d'))]"
+    },
+    "analyticRuleObject3": {
+      "analyticRuleVersion3": "1.0.2",
+      "_analyticRulecontentId3": "9cb7c337-f174-4af6-b0e8-b6b7552d762d",
+      "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f174-4af6-b0e8-b6b7552d762d')]",
+      "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f174-4af6-b0e8-b6b7552d762d'))]"
+    },
+    "analyticRuleObject4": {
+      "analyticRuleVersion4": "1.0.2",
+      "_analyticRulecontentId4": "9cb7c337-f175-4af6-b0e8-b6b7552d762d",
+      "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f175-4af6-b0e8-b6b7552d762d')]",
+      "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f175-4af6-b0e8-b6b7552d762d'))]"
+    },
+    "analyticRuleObject5": {
+      "analyticRuleVersion5": "1.0.2",
+      "_analyticRulecontentId5": "9cb7c337-f176-4af6-b0e8-b6b7552d762d",
+      "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f176-4af6-b0e8-b6b7552d762d')]",
+      "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f176-4af6-b0e8-b6b7552d762d'))]"
+    },
+    "analyticRuleObject6": {
+      "analyticRuleVersion6": "1.0.2",
+      "_analyticRulecontentId6": "9cb7c337-f177-4af6-b0e8-b6b7552d762d",
+      "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f177-4af6-b0e8-b6b7552d762d')]",
+      "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f177-4af6-b0e8-b6b7552d762d'))]"
+    },
+    "analyticRuleObject7": {
+      "analyticRuleVersion7": "1.0.2",
+      "_analyticRulecontentId7": "9cb7c337-f178-4af6-b0e8-b6b7552d762d",
+      "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f178-4af6-b0e8-b6b7552d762d')]",
+      "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f178-4af6-b0e8-b6b7552d762d'))]"
+    },
+    "analyticRuleObject8": {
+      "analyticRuleVersion8": "1.0.2",
+      "_analyticRulecontentId8": "9cb7c337-f179-4af6-b0e8-b6b7552d762d",
+      "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f179-4af6-b0e8-b6b7552d762d')]",
+      "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f179-4af6-b0e8-b6b7552d762d'))]"
+    }
   },
   "resources": [
     {
@@ -137,7 +140,7 @@
         "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
       ],
       "properties": {
-        "description": "Flare data connector with template version 2.1.0",
+        "description": "Flare data connector with template version 2.2.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('dataConnectorVersion1')]",
@@ -221,7 +224,7 @@
                     {
                       "innerSteps": [
                         {
-                          "description": "As an organization administrator, authenticate on [Flare](https://app.flare.systems) and access the [team page](https://app.flare.systems#/team) to create a new alert channel."
+                          "description": "As an organization administrator, authenticate on [Flare](https://app.flare.io) and access the [alert page](https://app.flare.io/#/alerts?activeTab=alert-channels) to create a new alert channel."
                         },
                         {
                           "description": "Click on 'Create a new alert channel' and select 'Microsoft Sentinel'. Enter your Shared Key And WorkspaceID. Save the Alert Channel. \n For more help and details, see our [Azure configuration documentation](https://docs.microsoft.com/azure/sentinel/connect-data-sources).",
@@ -420,7 +423,7 @@
             {
               "innerSteps": [
                 {
-                  "description": "As an organization administrator, authenticate on [Flare](https://app.flare.systems) and access the [team page](https://app.flare.systems#/team) to create a new alert channel."
+                  "description": "As an organization administrator, authenticate on [Flare](https://app.flare.io) and access the [alert page](https://app.flare.io/#/alerts?activeTab=alert-channels) to create a new alert channel."
                 },
                 {
                   "description": "Click on 'Create a new alert channel' and select 'Microsoft Sentinel'. Enter your Shared Key And WorkspaceID. Save the Alert Channel. \n For more help and details, see our [Azure configuration documentation](https://docs.microsoft.com/azure/sentinel/connect-data-sources).",
@@ -469,82 +472,64 @@
     {
       "type": "Microsoft.Resources/templateSpecs",
       "apiVersion": "2022-02-01",
-      "name": "[variables('analyticRuleTemplateSpecName1')]",
+      "name": "[variables('workbookTemplateSpecName1')]",
       "location": "[parameters('workspace-location')]",
       "tags": {
         "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
+        "hidden-sentinelContentType": "Workbook"
       },
       "properties": {
-        "description": "Flare Analytics Rule 1 with template",
-        "displayName": "Flare Analytics Rule template"
+        "description": "Flare Workbook with template",
+        "displayName": "Flare workbook template"
       }
     },
     {
       "type": "Microsoft.Resources/templateSpecs/versions",
       "apiVersion": "2022-02-01",
-      "name": "[concat(variables('analyticRuleTemplateSpecName1'),'/',variables('analyticRuleVersion1'))]",
+      "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]",
       "location": "[parameters('workspace-location')]",
       "tags": {
         "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
+        "hidden-sentinelContentType": "Workbook"
       },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]"
+        "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]"
       ],
       "properties": {
-        "description": "FlareCredentialLeaks_AnalyticalRules Analytics Rule with template version 2.1.0",
+        "description": "FlareSystemsFireworkOverview Workbook with template version 2.2.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion1')]",
+          "contentVersion": "[variables('workbookVersion1')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('AnalyticRulecontentId1')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
+              "type": "Microsoft.Insights/workbooks",
+              "name": "[variables('workbookContentId1')]",
               "location": "[parameters('workspace-location')]",
+              "kind": "shared",
+              "apiVersion": "2021-08-01",
+              "metadata": {
+                "description": "Select the time range for this Overview."
+              },
               "properties": {
-                "description": "Searches for Flare Leaked Credentials",
-                "displayName": "Flare Leaked Credentials",
-                "enabled": false,
-                "query": "Firework_CL\n| where notempty(data_new_leaks_s) and source_s != 'stealer_logs_samples'\n",
-                "queryFrequency": "PT1H",
-                "queryPeriod": "PT1H",
-                "severity": "Medium",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
-                  {
-                    "dataTypes": [
-                      "Firework_CL"
-                    ],
-                    "connectorId": "Flare"
-                  }
-                ],
-                "tactics": [
-                  "CredentialAccess"
-                ],
-                "techniques": [
-                  "T1110"
-                ]
+                "displayName": "[parameters('workbook1-name')]",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Firework Logs by risk score\\n---\\n\\nThese are all your logs that came from Firework in the past 30 days, where each line represents a specific risk score\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Firework_CL\\n| make-series num=count() on timestamp_t from ago(30d) to now() step 8h by strcat(\\\"Risk Score \\\", tostring(toint(risk_score_d)))\\n| render timechart \",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Risk Score 2\",\"color\":\"turquoise\"},{\"seriesName\":\"Risk Score 3\",\"color\":\"yellow\"},{\"seriesName\":\"Risk Score 4\",\"color\":\"orange\"},{\"seriesName\":\"Risk Score 1\",\"color\":\"lightBlue\"}]}},\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"# Sources of all documents collected\\n\\nData per day for the last 30 days\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Firework_CL\\n| make-series num=count() on timestamp_t from ago(30d) to now() step 1d by source_name_s\\n| where isnotempty(source_name_s)\\n| render barchart \",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Firework_CL\\n| where timestamp_t >= ago(30d)\\n| summarize num=count() by source_name_s\\n| where notempty(source_name_s)\\n| render piechart \",\"size\":2,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 6\"},{\"type\":1,\"content\":{\"json\":\"# Total Leaked Credentials received\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Firework_CL\\n| where notempty(column_ifexists('data_new_leaks_s', ''))\\n| make-series Total_Leaked_Credentials=count() on timestamp_t from ago(30d) to now() step 8h \\n| render timechart\",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Total_Leaked_Credentials\",\"color\":\"redBright\"}]}},\"name\":\"query - 4\"}],\"fromTemplateId\":\"sentinel-FireworkWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
+                "version": "1.0",
+                "sourceId": "[variables('workspaceResourceId')]",
+                "category": "sentinel"
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
               "properties": {
-                "description": "Flare Analytics Rule 1",
-                "parentId": "[variables('analyticRuleId1')]",
-                "contentId": "[variables('_analyticRulecontentId1')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion1')]",
+                "description": "@{workbookKey=FireworkWorkbook; logoFileName=Flare.svg; description=Select the time range for this Overview.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=FlareSystemsFirework; templateRelativePath=FlareSystemsFireworkOverview.json; subtitle=; provider=Flare Systems}.description",
+                "parentId": "[variables('workbookId1')]",
+                "contentId": "[variables('_workbookContentId1')]",
+                "kind": "Workbook",
+                "version": "[variables('workbookVersion1')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Flare",
@@ -559,6 +544,19 @@
                   "email": "contact@flare.io",
                   "tier": "Partner",
                   "link": "https://flare.io/company/contact/"
+                },
+                "dependencies": {
+                  "operator": "AND",
+                  "criteria": [
+                    {
+                      "contentId": "Firework_CL",
+                      "kind": "DataType"
+                    },
+                    {
+                      "contentId": "FlareSystemsFirework",
+                      "kind": "DataConnector"
+                    }
+                  ]
                 }
               }
             }
@@ -569,282 +567,334 @@
     {
       "type": "Microsoft.Resources/templateSpecs",
       "apiVersion": "2022-02-01",
-      "name": "[variables('analyticRuleTemplateSpecName2')]",
+      "name": "[variables('playbookTemplateSpecName1')]",
       "location": "[parameters('workspace-location')]",
       "tags": {
         "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
+        "hidden-sentinelContentType": "Playbook"
       },
       "properties": {
-        "description": "Flare Analytics Rule 2 with template",
-        "displayName": "Flare Analytics Rule template"
+        "description": "credential-warning playbook",
+        "displayName": "credential-warning playbook"
       }
     },
     {
       "type": "Microsoft.Resources/templateSpecs/versions",
       "apiVersion": "2022-02-01",
-      "name": "[concat(variables('analyticRuleTemplateSpecName2'),'/',variables('analyticRuleVersion2'))]",
+      "name": "[concat(variables('playbookTemplateSpecName1'),'/',variables('playbookVersion1'))]",
       "location": "[parameters('workspace-location')]",
       "tags": {
         "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
+        "hidden-sentinelContentType": "Playbook"
       },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]"
+        "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName1'))]"
       ],
       "properties": {
-        "description": "FlareCloudBucket_AnalyticalRules Analytics Rule with template version 2.1.0",
+        "description": "credential-warning Playbook with template version 2.2.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion2')]",
-          "parameters": {},
-          "variables": {},
+          "contentVersion": "[variables('playbookVersion1')]",
+          "parameters": {
+            "PlaybookName": {
+              "defaultValue": "credential-warning",
+              "type": "string"
+            }
+          },
+          "variables": {
+            "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]",
+            "o365ConnectionName": "[[concat('o365-', parameters('PlaybookName'))]",
+            "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+            "_connection-1": "[[variables('connection-1')]",
+            "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]",
+            "_connection-2": "[[variables('connection-2')]",
+            "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+            "workspace-name": "[parameters('workspace')]",
+            "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+          },
           "resources": [
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('AnalyticRulecontentId2')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
-              "location": "[parameters('workspace-location')]",
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('AzureSentinelConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "kind": "V1",
               "properties": {
-                "description": "Results found on an publicly available cloud bucket",
-                "displayName": "Flare Cloud bucket result",
-                "enabled": false,
-                "query": "Firework_CL\n| where source_s contains \"Grayhat_warfare\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
-                "queryFrequency": "PT1H",
-                "queryPeriod": "PT1H",
-                "severity": "Medium",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
-                  {
-                    "dataTypes": [
-                      "Firework_CL"
-                    ],
-                    "connectorId": "Flare"
-                  }
-                ],
-                "tactics": [
-                  "Reconnaissance"
-                ],
-                "techniques": [
-                  "T1593"
-                ]
+                "displayName": "[[variables('AzureSentinelConnectionName')]",
+                "parameterValueType": "Alternative",
+                "api": {
+                  "id": "[[variables('_connection-1')]"
+                }
               }
             },
             {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]",
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('o365ConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
               "properties": {
-                "description": "Flare Analytics Rule 2",
-                "parentId": "[variables('analyticRuleId2')]",
-                "contentId": "[variables('_analyticRulecontentId2')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion2')]",
-                "source": {
-                  "kind": "Solution",
-                  "name": "Flare",
-                  "sourceId": "[variables('_solutionId')]"
-                },
-                "author": {
-                  "name": "Flare Integration Team",
-                  "email": "[variables('_email')]"
-                },
-                "support": {
-                  "name": "Flare",
-                  "email": "contact@flare.io",
-                  "tier": "Partner",
-                  "link": "https://flare.io/company/contact/"
+                "displayName": "[[parameters('PlaybookName')]",
+                "api": {
+                  "id": "[[variables('_connection-2')]"
                 }
               }
-            }
-          ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2022-02-01",
-      "name": "[variables('analyticRuleTemplateSpecName3')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
-      "properties": {
-        "description": "Flare Analytics Rule 3 with template",
-        "displayName": "Flare Analytics Rule template"
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2022-02-01",
-      "name": "[concat(variables('analyticRuleTemplateSpecName3'),'/',variables('analyticRuleVersion3'))]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
-      "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName3'))]"
-      ],
-      "properties": {
-        "description": "FlareDarkweb_AnalyticalRules Analytics Rule with template version 2.1.0",
-        "mainTemplate": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion3')]",
-          "parameters": {},
-          "variables": {},
-          "resources": [
-            {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('AnalyticRulecontentId3')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
-              "location": "[parameters('workspace-location')]",
-              "properties": {
-                "description": "Result found on a darkweb platform",
-                "displayName": "Flare Darkweb result",
-                "enabled": false,
-                "query": "Firework_CL\n| where risk_reasons_s contains \"CYBERCRIME_SOURCE\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
-                "queryFrequency": "PT1H",
-                "queryPeriod": "PT1H",
-                "severity": "Medium",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
-                  {
-                    "dataTypes": [
-                      "Firework_CL"
-                    ],
-                    "connectorId": "Flare"
-                  }
-                ],
-                "tactics": [
-                  "Reconnaissance"
-                ],
-                "techniques": [
-                  "T1597"
-                ]
-              }
             },
             {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]",
-              "properties": {
-                "description": "Flare Analytics Rule 3",
-                "parentId": "[variables('analyticRuleId3')]",
-                "contentId": "[variables('_analyticRulecontentId3')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion3')]",
-                "source": {
-                  "kind": "Solution",
-                  "name": "Flare",
-                  "sourceId": "[variables('_solutionId')]"
-                },
-                "author": {
-                  "name": "Flare Integration Team",
-                  "email": "[variables('_email')]"
+              "type": "Microsoft.Logic/workflows",
+              "apiVersion": "2017-07-01",
+              "name": "[[parameters('PlaybookName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "tags": {
+                "LogicAppsCategory": "security",
+                "hidden-SentinelTemplateName": "PlaybookName",
+                "hidden-SentinelTemplateVersion": "1.0",
+                "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+              },
+              "identity": {
+                "type": "SystemAssigned"
+              },
+              "dependsOn": [
+                "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
+                "[[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]"
+              ],
+              "properties": {
+                "state": "Disabled",
+                "definition": {
+                  "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+                  "parameters": {
+                    "$connections": {
+                      "type": "Object"
+                    }
+                  },
+                  "actions": {
+                    "For_each": {
+                      "actions": {
+                        "For_each_2": {
+                          "actions": {
+                            "For_each_3": {
+                              "actions": {
+                                "Send_an_email_(V2)": {
+                                  "inputs": {
+                                    "body": {
+                                      "Body": "<p>Hello,<br>\n<br>\nThis is a message to warn you we believe a password you had been using has &nbsp;been leaked online, as part of a data breach.<br>\n<br>\nIf the following password is one you are still using commonly, we recommend changing it as soon as possible.<br>\n<br>\n@{items('For_each_3')['hash']}<br>\n<br>\nIn addition we want to remind you not to use your corporate email address to register to services outside of work.<br>\n<br>\nCordially,<br>\n<br>\nSecurity Team<br>\n</p>",
+                                      "Subject": "Possible compromised password",
+                                      "To": "blank@flare.systems"
+                                    },
+                                    "host": {
+                                      "connection": {
+                                        "name": "@parameters('$connections')['office365']['connectionId']"
+                                      }
+                                    },
+                                    "method": "post",
+                                    "path": "/v2/Mail"
+                                  },
+                                  "type": "ApiConnection"
+                                }
+                              },
+                              "foreach": "@items('For_each_2')['passwords']",
+                              "type": "Foreach"
+                            }
+                          },
+                          "foreach": "@body('Parse_JSON')",
+                          "runAfter": {
+                            "Parse_JSON": [
+                              "Succeeded"
+                            ]
+                          },
+                          "type": "Foreach"
+                        },
+                        "Parse_JSON": {
+                          "inputs": {
+                            "content": "@items('For_each')",
+                            "schema": {
+                              "items": {
+                                "properties": {
+                                  "name": {
+                                    "type": "string"
+                                  },
+                                  "passwords": {
+                                    "items": {
+                                      "properties": {
+                                        "extra": {
+                                          "type": "object"
+                                        },
+                                        "hash": {
+                                          "type": "string"
+                                        },
+                                        "hash_type": {
+                                          "type": "string"
+                                        },
+                                        "id": {
+                                          "type": "integer"
+                                        },
+                                        "imported_at": {
+                                          "type": "string"
+                                        },
+                                        "source_id": {
+                                          "type": "string"
+                                        },
+                                        "source_params": {
+                                          "properties": {
+                                            "line": {
+                                              "type": "integer"
+                                            }
+                                          },
+                                          "type": "object"
+                                        }
+                                      },
+                                      "required": [
+                                        "id",
+                                        "hash",
+                                        "hash_type",
+                                        "extra",
+                                        "domain",
+                                        "source_id",
+                                        "source_params",
+                                        "imported_at"
+                                      ],
+                                      "type": "object"
+                                    },
+                                    "type": "array"
+                                  }
+                                },
+                                "required": [
+                                  "name",
+                                  "passwords"
+                                ],
+                                "type": "object"
+                              },
+                              "type": "array"
+                            }
+                          },
+                          "type": "ParseJson"
+                        }
+                      },
+                      "foreach": "@variables('leaks')['leaked_credentials']",
+                      "runAfter": {
+                        "Initialize_variable": [
+                          "Succeeded"
+                        ]
+                      },
+                      "type": "Foreach"
+                    },
+                    "Initialize_variable": {
+                      "inputs": {
+                        "variables": [
+                          {
+                            "name": "leaks",
+                            "type": "object",
+                            "value": "@json(body('Parse_JSON_2')['Custom Details'])"
+                          }
+                        ]
+                      },
+                      "runAfter": {
+                        "Parse_JSON_2": [
+                          "Succeeded"
+                        ]
+                      },
+                      "type": "InitializeVariable"
+                    },
+                    "Parse_JSON_2": {
+                      "inputs": {
+                        "content": "@triggerBody()?['ExtendedProperties']",
+                        "schema": {
+                          "properties": {
+                            "Analytic Rule Ids": {
+                              "type": "string"
+                            },
+                            "Analytic Rule Name": {
+                              "type": "string"
+                            },
+                            "Custom Details": {
+                              "type": "string"
+                            },
+                            "Data Sources": {
+                              "type": "string"
+                            },
+                            "Event Grouping": {
+                              "type": "string"
+                            },
+                            "ProcessedBySentinel": {
+                              "type": "string"
+                            },
+                            "Query": {
+                              "type": "string"
+                            },
+                            "Query End Time UTC": {
+                              "type": "string"
+                            },
+                            "Query Period": {
+                              "type": "string"
+                            },
+                            "Query Start Time UTC": {
+                              "type": "string"
+                            },
+                            "Search Query Results Overall Count": {
+                              "type": "string"
+                            },
+                            "Trigger Operator": {
+                              "type": "string"
+                            },
+                            "Trigger Threshold": {
+                              "type": "string"
+                            }
+                          },
+                          "type": "object"
+                        }
+                      },
+                      "type": "ParseJson"
+                    }
+                  },
+                  "contentVersion": "1.0.0.0",
+                  "triggers": {
+                    "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
+                      "inputs": {
+                        "body": {
+                          "callback_url": "@{listCallbackUrl()}"
+                        },
+                        "host": {
+                          "connection": {
+                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+                          }
+                        },
+                        "path": "/subscribe"
+                      },
+                      "type": "ApiConnectionWebhook"
+                    }
+                  }
                 },
-                "support": {
-                  "name": "Flare",
-                  "email": "contact@flare.io",
-                  "tier": "Partner",
-                  "link": "https://flare.io/company/contact/"
+                "parameters": {
+                  "$connections": {
+                    "value": {
+                      "azuresentinel": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
+                        "connectionName": "[[variables('AzureSentinelConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+                        "connectionProperties": {
+                          "authentication": {
+                            "type": "ManagedServiceIdentity"
+                          }
+                        }
+                      },
+                      "office365": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]",
+                        "connectionName": "[[variables('o365ConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]"
+                      }
+                    }
+                  }
                 }
               }
-            }
-          ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2022-02-01",
-      "name": "[variables('analyticRuleTemplateSpecName4')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
-      "properties": {
-        "description": "Flare Analytics Rule 4 with template",
-        "displayName": "Flare Analytics Rule template"
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2022-02-01",
-      "name": "[concat(variables('analyticRuleTemplateSpecName4'),'/',variables('analyticRuleVersion4'))]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
-      "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName4'))]"
-      ],
-      "properties": {
-        "description": "FlareDork_AnalyticalRules Analytics Rule with template version 2.1.0",
-        "mainTemplate": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion4')]",
-          "parameters": {},
-          "variables": {},
-          "resources": [
-            {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('AnalyticRulecontentId4')]",
-              "apiVersion": "2022-04-01-preview",
-              "kind": "Scheduled",
-              "location": "[parameters('workspace-location')]",
-              "properties": {
-                "description": "Results using a dork on google was found",
-                "displayName": "Flare Google Dork result found",
-                "enabled": false,
-                "query": "Firework_CL\n| where source_s contains \"google_search\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
-                "queryFrequency": "PT1H",
-                "queryPeriod": "PT1H",
-                "severity": "Medium",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
-                  {
-                    "dataTypes": [
-                      "Firework_CL"
-                    ],
-                    "connectorId": "Flare"
-                  }
-                ],
-                "tactics": [
-                  "Reconnaissance"
-                ],
-                "techniques": [
-                  "T1593"
-                ]
-              }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]",
               "properties": {
-                "description": "Flare Analytics Rule 4",
-                "parentId": "[variables('analyticRuleId4')]",
-                "contentId": "[variables('_analyticRulecontentId4')]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion4')]",
+                "parentId": "[variables('playbookId1')]",
+                "contentId": "[variables('_playbookContentId1')]",
+                "kind": "Playbook",
+                "version": "[variables('playbookVersion1')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Flare",
@@ -862,55 +912,69 @@
                 }
               }
             }
-          ]
+          ],
+          "metadata": {
+            "title": "credential-warning",
+            "description": "This playbook monitors all data received from Firework looking for leaked credentials (email:password combinations). When found, this playbook will send an email to the email address warning their password has been leaked, recommending appropriate measures if necessary. To learn more about how to connect Firework to Microsoft Sentinel, see the [API documentation](https://docs.flared.io/azure-sentinel-integration).",
+            "lastUpdateTime": "2022-07-31T00:00:00Z",
+            "releaseNotes": [
+              {
+                "version": "1.0.0",
+                "title": "credential-warning",
+                "notes": [
+                  "Initial version"
+                ]
+              }
+            ]
+          }
         }
       }
     },
     {
       "type": "Microsoft.Resources/templateSpecs",
       "apiVersion": "2022-02-01",
-      "name": "[variables('analyticRuleTemplateSpecName5')]",
+      "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]",
       "location": "[parameters('workspace-location')]",
       "tags": {
         "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
         "hidden-sentinelContentType": "AnalyticsRule"
       },
       "properties": {
-        "description": "Flare Analytics Rule 5 with template",
+        "description": "Flare Analytics Rule 1 with template",
         "displayName": "Flare Analytics Rule template"
       }
     },
     {
       "type": "Microsoft.Resources/templateSpecs/versions",
       "apiVersion": "2022-02-01",
-      "name": "[concat(variables('analyticRuleTemplateSpecName5'),'/',variables('analyticRuleVersion5'))]",
+      "name": "[concat(variables('analyticRuleObject1').analyticRuleTemplateSpecName1,'/',variables('analyticRuleObject1').analyticRuleVersion1)]",
       "location": "[parameters('workspace-location')]",
       "tags": {
         "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
         "hidden-sentinelContentType": "AnalyticsRule"
       },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName5'))]"
+        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject1').analyticRuleTemplateSpecName1)]"
       ],
       "properties": {
-        "description": "FlareHost_AnalyticalRules Analytics Rule with template version 2.1.0",
+        "description": "FlareCloudBucket_AnalyticalRules Analytics Rule with template version 2.2.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion5')]",
+          "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('AnalyticRulecontentId5')]",
-              "apiVersion": "2022-04-01-preview",
+              "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+              "apiVersion": "2023-02-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Results found relating to IP, domain or host",
-                "displayName": "Flare Host result",
+                "description": "Results found on an publicly available cloud bucket",
+                "displayName": "Flare Cloud bucket result",
                 "enabled": false,
-                "query": "Firework_CL\n| where source_s contains \"driller_shodan\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
+                "query": "Firework_CL\n| extend source = column_ifexists(\"source_s\", \"\")\n| extend risk_score = column_ifexists(\"risk_score_d\", 0.0)\n| where source contains \"Grayhat_warfare\"\n| where risk_score >= 3\n",
                 "queryFrequency": "PT1H",
                 "queryPeriod": "PT1H",
                 "severity": "Medium",
@@ -921,30 +985,30 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "Flare",
                     "dataTypes": [
                       "Firework_CL"
-                    ],
-                    "connectorId": "Flare"
+                    ]
                   }
                 ],
                 "tactics": [
                   "Reconnaissance"
                 ],
                 "techniques": [
-                  "T1596"
+                  "T1593"
                 ]
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]",
               "properties": {
-                "description": "Flare Analytics Rule 5",
-                "parentId": "[variables('analyticRuleId5')]",
-                "contentId": "[variables('_analyticRulecontentId5')]",
+                "description": "Flare Analytics Rule 1",
+                "parentId": "[variables('analyticRuleObject1').analyticRuleId1]",
+                "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion5')]",
+                "version": "[variables('analyticRuleObject1').analyticRuleVersion1]",
                 "source": {
                   "kind": "Solution",
                   "name": "Flare",
@@ -969,48 +1033,48 @@
     {
       "type": "Microsoft.Resources/templateSpecs",
       "apiVersion": "2022-02-01",
-      "name": "[variables('analyticRuleTemplateSpecName6')]",
+      "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]",
       "location": "[parameters('workspace-location')]",
       "tags": {
         "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
         "hidden-sentinelContentType": "AnalyticsRule"
       },
       "properties": {
-        "description": "Flare Analytics Rule 6 with template",
+        "description": "Flare Analytics Rule 2 with template",
         "displayName": "Flare Analytics Rule template"
       }
     },
     {
       "type": "Microsoft.Resources/templateSpecs/versions",
       "apiVersion": "2022-02-01",
-      "name": "[concat(variables('analyticRuleTemplateSpecName6'),'/',variables('analyticRuleVersion6'))]",
+      "name": "[concat(variables('analyticRuleObject2').analyticRuleTemplateSpecName2,'/',variables('analyticRuleObject2').analyticRuleVersion2)]",
       "location": "[parameters('workspace-location')]",
       "tags": {
         "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
         "hidden-sentinelContentType": "AnalyticsRule"
       },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName6'))]"
+        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject2').analyticRuleTemplateSpecName2)]"
       ],
       "properties": {
-        "description": "FlareInfectedDevice_AnalyticalRules Analytics Rule with template version 2.1.0",
+        "description": "FlareCredentialLeaks_AnalyticalRules Analytics Rule with template version 2.2.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion6')]",
+          "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('AnalyticRulecontentId6')]",
-              "apiVersion": "2022-04-01-preview",
+              "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+              "apiVersion": "2023-02-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Infected Device found on darkweb or Telegram",
-                "displayName": "Flare Infected Device",
+                "description": "Searches for Flare Leaked Credentials",
+                "displayName": "Flare Leaked Credentials",
                 "enabled": false,
-                "query": "Firework_CL\n| where category_name_s contains \"Infected Device\" or source_s==\"genesis_market\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
+                "query": "Firework_CL\n| extend data_new_leaks = column_ifexists(\"data_new_leaks_s\", \"\")\n| extend source = column_ifexists(\"source_s\", \"\")\n| where isnotempty(data_new_leaks) and source != \"stealer_logs_samples\"\n",
                 "queryFrequency": "PT1H",
                 "queryPeriod": "PT1H",
                 "severity": "Medium",
@@ -1021,30 +1085,30 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "Flare",
                     "dataTypes": [
                       "Firework_CL"
-                    ],
-                    "connectorId": "Flare"
+                    ]
                   }
                 ],
                 "tactics": [
                   "CredentialAccess"
                 ],
                 "techniques": [
-                  "T1555"
+                  "T1110"
                 ]
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]",
               "properties": {
-                "description": "Flare Analytics Rule 6",
-                "parentId": "[variables('analyticRuleId6')]",
-                "contentId": "[variables('_analyticRulecontentId6')]",
+                "description": "Flare Analytics Rule 2",
+                "parentId": "[variables('analyticRuleObject2').analyticRuleId2]",
+                "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion6')]",
+                "version": "[variables('analyticRuleObject2').analyticRuleVersion2]",
                 "source": {
                   "kind": "Solution",
                   "name": "Flare",
@@ -1069,48 +1133,48 @@
     {
       "type": "Microsoft.Resources/templateSpecs",
       "apiVersion": "2022-02-01",
-      "name": "[variables('analyticRuleTemplateSpecName7')]",
+      "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]",
       "location": "[parameters('workspace-location')]",
       "tags": {
         "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
         "hidden-sentinelContentType": "AnalyticsRule"
       },
       "properties": {
-        "description": "Flare Analytics Rule 7 with template",
+        "description": "Flare Analytics Rule 3 with template",
         "displayName": "Flare Analytics Rule template"
       }
     },
     {
       "type": "Microsoft.Resources/templateSpecs/versions",
       "apiVersion": "2022-02-01",
-      "name": "[concat(variables('analyticRuleTemplateSpecName7'),'/',variables('analyticRuleVersion7'))]",
+      "name": "[concat(variables('analyticRuleObject3').analyticRuleTemplateSpecName3,'/',variables('analyticRuleObject3').analyticRuleVersion3)]",
       "location": "[parameters('workspace-location')]",
       "tags": {
         "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
         "hidden-sentinelContentType": "AnalyticsRule"
       },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName7'))]"
+        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject3').analyticRuleTemplateSpecName3)]"
       ],
       "properties": {
-        "description": "FlarePaste_AnalyticalRules Analytics Rule with template version 2.1.0",
+        "description": "FlareDork_AnalyticalRules Analytics Rule with template version 2.2.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion7')]",
+          "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('AnalyticRulecontentId7')]",
-              "apiVersion": "2022-04-01-preview",
+              "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
+              "apiVersion": "2023-02-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Result found on code Snippet (paste) sharing platform",
-                "displayName": "Flare Paste result",
+                "description": "Results using a dork on google was found",
+                "displayName": "Flare Google Dork result found",
                 "enabled": false,
-                "query": "Firework_CL\n| where source_s in (\"gist_github\",\"Pastebin\",\"driller_stackexchange\") and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
+                "query": "Firework_CL\n| extend source = column_ifexists(\"source_s\", \"\")\n| extend risk_score = column_ifexists(\"risk_score_d\", 0.0)\n| where source contains \"google_search\"\n| where risk_score >= 3\n",
                 "queryFrequency": "PT1H",
                 "queryPeriod": "PT1H",
                 "severity": "Medium",
@@ -1121,10 +1185,10 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "Flare",
                     "dataTypes": [
                       "Firework_CL"
-                    ],
-                    "connectorId": "Flare"
+                    ]
                   }
                 ],
                 "tactics": [
@@ -1138,13 +1202,13 @@
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]",
               "properties": {
-                "description": "Flare Analytics Rule 7",
-                "parentId": "[variables('analyticRuleId7')]",
-                "contentId": "[variables('_analyticRulecontentId7')]",
+                "description": "Flare Analytics Rule 3",
+                "parentId": "[variables('analyticRuleObject3').analyticRuleId3]",
+                "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion7')]",
+                "version": "[variables('analyticRuleObject3').analyticRuleVersion3]",
                 "source": {
                   "kind": "Solution",
                   "name": "Flare",
@@ -1169,48 +1233,48 @@
     {
       "type": "Microsoft.Resources/templateSpecs",
       "apiVersion": "2022-02-01",
-      "name": "[variables('analyticRuleTemplateSpecName8')]",
+      "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]",
       "location": "[parameters('workspace-location')]",
       "tags": {
         "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
         "hidden-sentinelContentType": "AnalyticsRule"
       },
       "properties": {
-        "description": "Flare Analytics Rule 8 with template",
+        "description": "Flare Analytics Rule 4 with template",
         "displayName": "Flare Analytics Rule template"
       }
     },
     {
       "type": "Microsoft.Resources/templateSpecs/versions",
       "apiVersion": "2022-02-01",
-      "name": "[concat(variables('analyticRuleTemplateSpecName8'),'/',variables('analyticRuleVersion8'))]",
+      "name": "[concat(variables('analyticRuleObject4').analyticRuleTemplateSpecName4,'/',variables('analyticRuleObject4').analyticRuleVersion4)]",
       "location": "[parameters('workspace-location')]",
       "tags": {
         "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
         "hidden-sentinelContentType": "AnalyticsRule"
       },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName8'))]"
+        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject4').analyticRuleTemplateSpecName4)]"
       ],
       "properties": {
-        "description": "FlareSourceCode_AnalyticalRules Analytics Rule with template version 2.1.0",
+        "description": "FlareHost_AnalyticalRules Analytics Rule with template version 2.2.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion8')]",
+          "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('AnalyticRulecontentId8')]",
-              "apiVersion": "2022-04-01-preview",
+              "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
+              "apiVersion": "2023-02-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Result found on Code Sharing platform",
-                "displayName": "Flare Source Code found",
+                "description": "Results found relating to IP, domain or host",
+                "displayName": "Flare Host result",
                 "enabled": false,
-                "query": "Firework_CL\n| where source_s contains \"driller_github\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
+                "query": "Firework_CL\n| extend source = column_ifexists(\"source_s\", \"\")\n| extend risk_score = column_ifexists(\"risk_score_d\", 0.0)\n| where source contains \"driller_shodan\"\n| where risk_score >= 3\n",
                 "queryFrequency": "PT1H",
                 "queryPeriod": "PT1H",
                 "severity": "Medium",
@@ -1221,30 +1285,30 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "Flare",
                     "dataTypes": [
                       "Firework_CL"
-                    ],
-                    "connectorId": "Flare"
+                    ]
                   }
                 ],
                 "tactics": [
                   "Reconnaissance"
                 ],
                 "techniques": [
-                  "T1593"
+                  "T1596"
                 ]
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]",
               "properties": {
-                "description": "Flare Analytics Rule 8",
-                "parentId": "[variables('analyticRuleId8')]",
-                "contentId": "[variables('_analyticRulecontentId8')]",
+                "description": "Flare Analytics Rule 4",
+                "parentId": "[variables('analyticRuleObject4').analyticRuleId4]",
+                "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion8')]",
+                "version": "[variables('analyticRuleObject4').analyticRuleVersion4]",
                 "source": {
                   "kind": "Solution",
                   "name": "Flare",
@@ -1269,48 +1333,48 @@
     {
       "type": "Microsoft.Resources/templateSpecs",
       "apiVersion": "2022-02-01",
-      "name": "[variables('analyticRuleTemplateSpecName9')]",
+      "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]",
       "location": "[parameters('workspace-location')]",
       "tags": {
         "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
         "hidden-sentinelContentType": "AnalyticsRule"
       },
       "properties": {
-        "description": "Flare Analytics Rule 9 with template",
+        "description": "Flare Analytics Rule 5 with template",
         "displayName": "Flare Analytics Rule template"
       }
     },
     {
       "type": "Microsoft.Resources/templateSpecs/versions",
       "apiVersion": "2022-02-01",
-      "name": "[concat(variables('analyticRuleTemplateSpecName9'),'/',variables('analyticRuleVersion9'))]",
+      "name": "[concat(variables('analyticRuleObject5').analyticRuleTemplateSpecName5,'/',variables('analyticRuleObject5').analyticRuleVersion5)]",
       "location": "[parameters('workspace-location')]",
       "tags": {
         "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
         "hidden-sentinelContentType": "AnalyticsRule"
       },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName9'))]"
+        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject5').analyticRuleTemplateSpecName5)]"
       ],
       "properties": {
-        "description": "FlareSSLcert_AnalyticalRules Analytics Rule with template version 2.1.0",
+        "description": "FlareInfectedDevice_AnalyticalRules Analytics Rule with template version 2.2.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleVersion9')]",
+          "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('AnalyticRulecontentId9')]",
-              "apiVersion": "2022-04-01-preview",
+              "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
+              "apiVersion": "2023-02-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "SSL Certificate registration found",
-                "displayName": "Flare SSL Certificate result",
+                "description": "Infected Device found on darkweb or Telegram",
+                "displayName": "Flare Infected Device",
                 "enabled": false,
-                "query": "Firework_CL\n| where source_s contains \"certstream\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
+                "query": "Firework_CL\n| extend category_name = column_ifexists(\"category_name_s\", \"\")\n| extend source = column_ifexists(\"source_s\", \"\")\n| extend risk_score = column_ifexists(\"risk_score_d\", 0.0)\n| where category_name contains \"Infected Device\" or source == \"genesis_market\"\n| where risk_score >= 3\n",
                 "queryFrequency": "PT1H",
                 "queryPeriod": "PT1H",
                 "severity": "Medium",
@@ -1321,30 +1385,30 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
+                    "connectorId": "Flare",
                     "dataTypes": [
                       "Firework_CL"
-                    ],
-                    "connectorId": "Flare"
+                    ]
                   }
                 ],
                 "tactics": [
-                  "ResourceDevelopment"
+                  "CredentialAccess"
                 ],
                 "techniques": [
-                  "T1583"
+                  "T1555"
                 ]
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]",
               "properties": {
-                "description": "Flare Analytics Rule 9",
-                "parentId": "[variables('analyticRuleId9')]",
-                "contentId": "[variables('_analyticRulecontentId9')]",
+                "description": "Flare Analytics Rule 5",
+                "parentId": "[variables('analyticRuleObject5').analyticRuleId5]",
+                "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleVersion9')]",
+                "version": "[variables('analyticRuleObject5').analyticRuleVersion5]",
                 "source": {
                   "kind": "Solution",
                   "name": "Flare",
@@ -1361,342 +1425,90 @@
                   "link": "https://flare.io/company/contact/"
                 }
               }
-            }
-          ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2022-02-01",
-      "name": "[variables('playbookTemplateSpecName1')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "Playbook"
-      },
-      "properties": {
-        "description": "credential-warning playbook",
-        "displayName": "credential-warning playbook"
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2022-02-01",
-      "name": "[concat(variables('playbookTemplateSpecName1'),'/',variables('playbookVersion1'))]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "Playbook"
-      },
-      "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName1'))]"
-      ],
-      "properties": {
-        "description": "credential-warning Playbook with template version 2.1.0",
-        "mainTemplate": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('playbookVersion1')]",
-          "parameters": {
-            "PlaybookName": {
-              "defaultValue": "credential-warning",
-              "type": "string"
-            }
-          },
-          "variables": {
-            "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]",
-            "o365ConnectionName": "[[concat('o365-', parameters('PlaybookName'))]",
-            "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
-            "_connection-1": "[[variables('connection-1')]",
-            "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]",
-            "_connection-2": "[[variables('connection-2')]",
-            "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
-            "workspace-name": "[parameters('workspace')]",
-            "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
-          },
-          "resources": [
-            {
-              "type": "Microsoft.Web/connections",
-              "apiVersion": "2016-06-01",
-              "name": "[[variables('AzureSentinelConnectionName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "kind": "V1",
-              "properties": {
-                "displayName": "[[variables('AzureSentinelConnectionName')]",
-                "parameterValueType": "Alternative",
-                "api": {
-                  "id": "[[variables('_connection-1')]"
-                }
-              }
-            },
-            {
-              "type": "Microsoft.Web/connections",
-              "apiVersion": "2016-06-01",
-              "name": "[[variables('o365ConnectionName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "properties": {
-                "displayName": "[[parameters('PlaybookName')]",
-                "api": {
-                  "id": "[[variables('_connection-2')]"
-                }
-              }
-            },
-            {
-              "type": "Microsoft.Logic/workflows",
-              "apiVersion": "2017-07-01",
-              "name": "[[parameters('PlaybookName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "tags": {
-                "LogicAppsCategory": "security",
-                "hidden-SentinelTemplateName": "PlaybookName",
-                "hidden-SentinelTemplateVersion": "1.0",
-                "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
-              },
-              "identity": {
-                "type": "SystemAssigned"
-              },
-              "dependsOn": [
-                "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
-                "[[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]"
-              ],
-              "properties": {
-                "state": "Disabled",
-                "definition": {
-                  "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
-                  "parameters": {
-                    "$connections": {
-                      "type": "Object"
-                    }
-                  },
-                  "actions": {
-                    "For_each": {
-                      "actions": {
-                        "For_each_2": {
-                          "actions": {
-                            "For_each_3": {
-                              "actions": {
-                                "Send_an_email_(V2)": {
-                                  "inputs": {
-                                    "body": {
-                                      "Body": "<p>Hello,<br>\n<br>\nThis is a message to warn you we believe a password you had been using has &nbsp;been leaked online, as part of a data breach.<br>\n<br>\nIf the following password is one you are still using commonly, we recommend changing it as soon as possible.<br>\n<br>\n@{items('For_each_3')['hash']}<br>\n<br>\nIn addition we want to remind you not to use your corporate email address to register to services outside of work.<br>\n<br>\nCordially,<br>\n<br>\nSecurity Team<br>\n</p>",
-                                      "Subject": "Possible compromised password",
-                                      "To": "blank@flare.systems"
-                                    },
-                                    "host": {
-                                      "connection": {
-                                        "name": "@parameters('$connections')['office365']['connectionId']"
-                                      }
-                                    },
-                                    "method": "post",
-                                    "path": "/v2/Mail"
-                                  },
-                                  "type": "ApiConnection"
-                                }
-                              },
-                              "foreach": "@items('For_each_2')['passwords']",
-                              "type": "Foreach"
-                            }
-                          },
-                          "foreach": "@body('Parse_JSON')",
-                          "runAfter": {
-                            "Parse_JSON": [
-                              "Succeeded"
-                            ]
-                          },
-                          "type": "Foreach"
-                        },
-                        "Parse_JSON": {
-                          "inputs": {
-                            "content": "@items('For_each')",
-                            "schema": {
-                              "items": {
-                                "properties": {
-                                  "name": {
-                                    "type": "string"
-                                  },
-                                  "passwords": {
-                                    "items": {
-                                      "properties": {
-                                        "extra": {
-                                          "type": "object"
-                                        },
-                                        "hash": {
-                                          "type": "string"
-                                        },
-                                        "hash_type": {
-                                          "type": "string"
-                                        },
-                                        "id": {
-                                          "type": "integer"
-                                        },
-                                        "imported_at": {
-                                          "type": "string"
-                                        },
-                                        "source_id": {
-                                          "type": "string"
-                                        },
-                                        "source_params": {
-                                          "properties": {
-                                            "line": {
-                                              "type": "integer"
-                                            }
-                                          },
-                                          "type": "object"
-                                        }
-                                      },
-                                      "required": [
-                                        "id",
-                                        "hash",
-                                        "hash_type",
-                                        "extra",
-                                        "domain",
-                                        "source_id",
-                                        "source_params",
-                                        "imported_at"
-                                      ],
-                                      "type": "object"
-                                    },
-                                    "type": "array"
-                                  }
-                                },
-                                "required": [
-                                  "name",
-                                  "passwords"
-                                ],
-                                "type": "object"
-                              },
-                              "type": "array"
-                            }
-                          },
-                          "type": "ParseJson"
-                        }
-                      },
-                      "foreach": "@variables('leaks')['leaked_credentials']",
-                      "runAfter": {
-                        "Initialize_variable": [
-                          "Succeeded"
-                        ]
-                      },
-                      "type": "Foreach"
-                    },
-                    "Initialize_variable": {
-                      "inputs": {
-                        "variables": [
-                          {
-                            "name": "leaks",
-                            "type": "object",
-                            "value": "@json(body('Parse_JSON_2')['Custom Details'])"
-                          }
-                        ]
-                      },
-                      "runAfter": {
-                        "Parse_JSON_2": [
-                          "Succeeded"
-                        ]
-                      },
-                      "type": "InitializeVariable"
-                    },
-                    "Parse_JSON_2": {
-                      "inputs": {
-                        "content": "@triggerBody()?['ExtendedProperties']",
-                        "schema": {
-                          "properties": {
-                            "Analytic Rule Ids": {
-                              "type": "string"
-                            },
-                            "Analytic Rule Name": {
-                              "type": "string"
-                            },
-                            "Custom Details": {
-                              "type": "string"
-                            },
-                            "Data Sources": {
-                              "type": "string"
-                            },
-                            "Event Grouping": {
-                              "type": "string"
-                            },
-                            "ProcessedBySentinel": {
-                              "type": "string"
-                            },
-                            "Query": {
-                              "type": "string"
-                            },
-                            "Query End Time UTC": {
-                              "type": "string"
-                            },
-                            "Query Period": {
-                              "type": "string"
-                            },
-                            "Query Start Time UTC": {
-                              "type": "string"
-                            },
-                            "Search Query Results Overall Count": {
-                              "type": "string"
-                            },
-                            "Trigger Operator": {
-                              "type": "string"
-                            },
-                            "Trigger Threshold": {
-                              "type": "string"
-                            }
-                          },
-                          "type": "object"
-                        }
-                      },
-                      "type": "ParseJson"
-                    }
-                  },
-                  "contentVersion": "1.0.0.0",
-                  "triggers": {
-                    "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
-                      "inputs": {
-                        "body": {
-                          "callback_url": "@{listCallbackUrl()}"
-                        },
-                        "host": {
-                          "connection": {
-                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
-                          }
-                        },
-                        "path": "/subscribe"
-                      },
-                      "type": "ApiConnectionWebhook"
-                    }
-                  }
-                },
-                "parameters": {
-                  "$connections": {
-                    "value": {
-                      "azuresentinel": {
-                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
-                        "connectionName": "[[variables('AzureSentinelConnectionName')]",
-                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
-                        "connectionProperties": {
-                          "authentication": {
-                            "type": "ManagedServiceIdentity"
-                          }
-                        }
-                      },
-                      "office365": {
-                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]",
-                        "connectionName": "[[variables('o365ConnectionName')]",
-                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]"
-                      }
-                    }
+            }
+          ]
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/templateSpecs",
+      "apiVersion": "2022-02-01",
+      "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]",
+      "location": "[parameters('workspace-location')]",
+      "tags": {
+        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
+        "hidden-sentinelContentType": "AnalyticsRule"
+      },
+      "properties": {
+        "description": "Flare Analytics Rule 6 with template",
+        "displayName": "Flare Analytics Rule template"
+      }
+    },
+    {
+      "type": "Microsoft.Resources/templateSpecs/versions",
+      "apiVersion": "2022-02-01",
+      "name": "[concat(variables('analyticRuleObject6').analyticRuleTemplateSpecName6,'/',variables('analyticRuleObject6').analyticRuleVersion6)]",
+      "location": "[parameters('workspace-location')]",
+      "tags": {
+        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
+        "hidden-sentinelContentType": "AnalyticsRule"
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject6').analyticRuleTemplateSpecName6)]"
+      ],
+      "properties": {
+        "description": "FlarePaste_AnalyticalRules Analytics Rule with template version 2.2.0",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
+              "apiVersion": "2023-02-01-preview",
+              "kind": "Scheduled",
+              "location": "[parameters('workspace-location')]",
+              "properties": {
+                "description": "Result found on code Snippet (paste) sharing platform",
+                "displayName": "Flare Paste result",
+                "enabled": false,
+                "query": "Firework_CL\n| extend source = column_ifexists(\"source_s\", \"\")\n| extend risk_score = column_ifexists(\"risk_score_d\", 0.0)\n| where source in (\"gist_github\", \"Pastebin\", \"driller_stackexchange\")\n| where risk_score >= 3\n",
+                "queryFrequency": "PT1H",
+                "queryPeriod": "PT1H",
+                "severity": "Medium",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
+                  {
+                    "connectorId": "Flare",
+                    "dataTypes": [
+                      "Firework_CL"
+                    ]
                   }
-                }
+                ],
+                "tactics": [
+                  "Reconnaissance"
+                ],
+                "techniques": [
+                  "T1593"
+                ]
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]",
               "properties": {
-                "parentId": "[variables('playbookId1')]",
-                "contentId": "[variables('_playbookContentId1')]",
-                "kind": "Playbook",
-                "version": "[variables('playbookVersion1')]",
+                "description": "Flare Analytics Rule 6",
+                "parentId": "[variables('analyticRuleObject6').analyticRuleId6]",
+                "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleObject6').analyticRuleVersion6]",
                 "source": {
                   "kind": "Solution",
                   "name": "Flare",
@@ -1714,85 +1526,189 @@
                 }
               }
             }
-          ],
-          "metadata": {
-            "title": "credential-warning",
-            "description": "This playbook monitors all data received from Firework looking for leaked credentials (email:password combinations). When found, this playbook will send an email to the email address warning their password has been leaked, recommending appropriate measures if necessary. To learn more about how to connect Firework to Microsoft Sentinel, see the [API documentation](https://docs.flared.io/azure-sentinel-integration).",
-            "lastUpdateTime": "2022-07-31T00:00:00Z",
-            "releaseNotes": [
-              {
-                "version": "1.0.0",
-                "title": "credential-warning",
-                "notes": [
-                  "Initial version"
+          ]
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/templateSpecs",
+      "apiVersion": "2022-02-01",
+      "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]",
+      "location": "[parameters('workspace-location')]",
+      "tags": {
+        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
+        "hidden-sentinelContentType": "AnalyticsRule"
+      },
+      "properties": {
+        "description": "Flare Analytics Rule 7 with template",
+        "displayName": "Flare Analytics Rule template"
+      }
+    },
+    {
+      "type": "Microsoft.Resources/templateSpecs/versions",
+      "apiVersion": "2022-02-01",
+      "name": "[concat(variables('analyticRuleObject7').analyticRuleTemplateSpecName7,'/',variables('analyticRuleObject7').analyticRuleVersion7)]",
+      "location": "[parameters('workspace-location')]",
+      "tags": {
+        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
+        "hidden-sentinelContentType": "AnalyticsRule"
+      },
+      "dependsOn": [
+        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject7').analyticRuleTemplateSpecName7)]"
+      ],
+      "properties": {
+        "description": "FlareSourceCode_AnalyticalRules Analytics Rule with template version 2.2.0",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
+              "apiVersion": "2023-02-01-preview",
+              "kind": "Scheduled",
+              "location": "[parameters('workspace-location')]",
+              "properties": {
+                "description": "Result found on Code Sharing platform",
+                "displayName": "Flare Source Code found",
+                "enabled": false,
+                "query": "Firework_CL\n| extend source = column_ifexists(\"source_s\", \"\")\n| extend risk_score = column_ifexists(\"risk_score_d\", 0.0)\n| where source contains \"driller_github\"\n| where risk_score >= 3\n",
+                "queryFrequency": "PT1H",
+                "queryPeriod": "PT1H",
+                "severity": "Medium",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
+                  {
+                    "connectorId": "Flare",
+                    "dataTypes": [
+                      "Firework_CL"
+                    ]
+                  }
+                ],
+                "tactics": [
+                  "Reconnaissance"
+                ],
+                "techniques": [
+                  "T1593"
                 ]
               }
-            ]
-          }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]",
+              "properties": {
+                "description": "Flare Analytics Rule 7",
+                "parentId": "[variables('analyticRuleObject7').analyticRuleId7]",
+                "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleObject7').analyticRuleVersion7]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "Flare",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Flare Integration Team",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "name": "Flare",
+                  "email": "contact@flare.io",
+                  "tier": "Partner",
+                  "link": "https://flare.io/company/contact/"
+                }
+              }
+            }
+          ]
         }
       }
     },
     {
       "type": "Microsoft.Resources/templateSpecs",
       "apiVersion": "2022-02-01",
-      "name": "[variables('workbookTemplateSpecName1')]",
+      "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]",
       "location": "[parameters('workspace-location')]",
       "tags": {
         "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "Workbook"
+        "hidden-sentinelContentType": "AnalyticsRule"
       },
       "properties": {
-        "description": "Flare Workbook with template",
-        "displayName": "Flare workbook template"
+        "description": "Flare Analytics Rule 8 with template",
+        "displayName": "Flare Analytics Rule template"
       }
     },
     {
       "type": "Microsoft.Resources/templateSpecs/versions",
       "apiVersion": "2022-02-01",
-      "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]",
+      "name": "[concat(variables('analyticRuleObject8').analyticRuleTemplateSpecName8,'/',variables('analyticRuleObject8').analyticRuleVersion8)]",
       "location": "[parameters('workspace-location')]",
       "tags": {
         "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "Workbook"
+        "hidden-sentinelContentType": "AnalyticsRule"
       },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]"
+        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject8').analyticRuleTemplateSpecName8)]"
       ],
       "properties": {
-        "description": "FlareSystemsFireworkOverviewWorkbook with template version 2.1.0",
+        "description": "FlareSSLcert_AnalyticalRules Analytics Rule with template version 2.2.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('workbookVersion1')]",
+          "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.Insights/workbooks",
-              "name": "[variables('workbookContentId1')]",
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
+              "apiVersion": "2023-02-01-preview",
+              "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
-              "kind": "shared",
-              "apiVersion": "2021-08-01",
-              "metadata": {
-                "description": "Select the time range for this Overview."
-              },
               "properties": {
-                "displayName": "[parameters('workbook1-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Firework Logs by risk score\\n---\\n\\nThese are all your logs that came from Firework in the past 30 days, where each line represents a specific risk score\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Firework_CL\\n| make-series num=count() on timestamp_t from ago(30d) to now() step 8h by strcat(\\\"Risk Score \\\", tostring(toint(risk_score_d)))\\n| render timechart \",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Risk Score 2\",\"color\":\"turquoise\"},{\"seriesName\":\"Risk Score 3\",\"color\":\"yellow\"},{\"seriesName\":\"Risk Score 4\",\"color\":\"orange\"},{\"seriesName\":\"Risk Score 1\",\"color\":\"lightBlue\"}]}},\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"# Sources of all documents collected\\n\\nData per day for the last 30 days\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Firework_CL\\n| make-series num=count() on timestamp_t from ago(30d) to now() step 1d by source_name_s\\n| where isnotempty(source_name_s)\\n| render barchart \",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Firework_CL\\n| where timestamp_t >= ago(30d)\\n| summarize num=count() by source_name_s\\n| where notempty(source_name_s)\\n| render piechart \",\"size\":2,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 6\"},{\"type\":1,\"content\":{\"json\":\"# Total Leaked Credentials received\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Firework_CL\\n| where notempty(column_ifexists('data_new_leaks_s', ''))\\n| make-series Total_Leaked_Credentials=count() on timestamp_t from ago(30d) to now() step 8h \\n| render timechart\",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Total_Leaked_Credentials\",\"color\":\"redBright\"}]}},\"name\":\"query - 4\"}],\"fromTemplateId\":\"sentinel-FireworkWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
-                "version": "1.0",
-                "sourceId": "[variables('workspaceResourceId')]",
-                "category": "sentinel"
+                "description": "SSL Certificate registration found",
+                "displayName": "Flare SSL Certificate result",
+                "enabled": false,
+                "query": "Firework_CL\n| extend source = column_ifexists(\"source_s\", \"\")\n| extend risk_score = column_ifexists(\"risk_score_d\", 0.0)\n| where source contains \"certstream\"\n| where risk_score >= 3\n",
+                "queryFrequency": "PT1H",
+                "queryPeriod": "PT1H",
+                "severity": "Medium",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
+                  {
+                    "connectorId": "Flare",
+                    "dataTypes": [
+                      "Firework_CL"
+                    ]
+                  }
+                ],
+                "tactics": [
+                  "ResourceDevelopment"
+                ],
+                "techniques": [
+                  "T1583"
+                ]
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]",
               "properties": {
-                "description": "@{workbookKey=FireworkWorkbook; logoFileName=FlareSystems.svg; description=Select the time range for this Overview.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=FlareSystemsFirework; templateRelativePath=FlareSystemsFireworkOverview.json; subtitle=; provider=Flare Systems}.description",
-                "parentId": "[variables('workbookId1')]",
-                "contentId": "[variables('_workbookContentId1')]",
-                "kind": "Workbook",
-                "version": "[variables('workbookVersion1')]",
+                "description": "Flare Analytics Rule 8",
+                "parentId": "[variables('analyticRuleObject8').analyticRuleId8]",
+                "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleObject8').analyticRuleVersion8]",
                 "source": {
                   "kind": "Solution",
                   "name": "Flare",
@@ -1807,19 +1723,6 @@
                   "email": "contact@flare.io",
                   "tier": "Partner",
                   "link": "https://flare.io/company/contact/"
-                },
-                "dependencies": {
-                  "operator": "AND",
-                  "criteria": [
-                    {
-                      "contentId": "Firework_CL",
-                      "kind": "DataType"
-                    },
-                    {
-                      "contentId": "FlareSystemsFirework",
-                      "kind": "DataConnector"
-                    }
-                  ]
                 }
               }
             }
@@ -1832,7 +1735,7 @@
       "apiVersion": "2022-01-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "2.1.0",
+        "version": "2.2.0",
         "kind": "Solution",
         "contentSchemaVersion": "2.0.0",
         "contentId": "[variables('_solutionId')]",
@@ -1861,59 +1764,54 @@
               "version": "[variables('dataConnectorVersion1')]"
             },
             {
-              "kind": "AnalyticsRule",
-              "contentId": "[variables('analyticRulecontentId1')]",
-              "version": "[variables('analyticRuleVersion1')]"
+              "kind": "Workbook",
+              "contentId": "[variables('_workbookContentId1')]",
+              "version": "[variables('workbookVersion1')]"
             },
             {
-              "kind": "AnalyticsRule",
-              "contentId": "[variables('analyticRulecontentId2')]",
-              "version": "[variables('analyticRuleVersion2')]"
+              "kind": "Playbook",
+              "contentId": "[variables('_credential-warning')]",
+              "version": "[variables('playbookVersion1')]"
             },
             {
               "kind": "AnalyticsRule",
-              "contentId": "[variables('analyticRulecontentId3')]",
-              "version": "[variables('analyticRuleVersion3')]"
+              "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+              "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
             },
             {
               "kind": "AnalyticsRule",
-              "contentId": "[variables('analyticRulecontentId4')]",
-              "version": "[variables('analyticRuleVersion4')]"
+              "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+              "version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
             },
             {
               "kind": "AnalyticsRule",
-              "contentId": "[variables('analyticRulecontentId5')]",
-              "version": "[variables('analyticRuleVersion5')]"
+              "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
+              "version": "[variables('analyticRuleObject3').analyticRuleVersion3]"
             },
             {
               "kind": "AnalyticsRule",
-              "contentId": "[variables('analyticRulecontentId6')]",
-              "version": "[variables('analyticRuleVersion6')]"
+              "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
+              "version": "[variables('analyticRuleObject4').analyticRuleVersion4]"
             },
             {
               "kind": "AnalyticsRule",
-              "contentId": "[variables('analyticRulecontentId7')]",
-              "version": "[variables('analyticRuleVersion7')]"
+              "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
+              "version": "[variables('analyticRuleObject5').analyticRuleVersion5]"
             },
             {
               "kind": "AnalyticsRule",
-              "contentId": "[variables('analyticRulecontentId8')]",
-              "version": "[variables('analyticRuleVersion8')]"
+              "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
+              "version": "[variables('analyticRuleObject6').analyticRuleVersion6]"
             },
             {
               "kind": "AnalyticsRule",
-              "contentId": "[variables('analyticRulecontentId9')]",
-              "version": "[variables('analyticRuleVersion9')]"
-            },
-            {
-              "kind": "Playbook",
-              "contentId": "[variables('_credential-warning')]",
-              "version": "[variables('playbookVersion1')]"
+              "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
+              "version": "[variables('analyticRuleObject7').analyticRuleVersion7]"
             },
             {
-              "kind": "Workbook",
-              "contentId": "[variables('_workbookContentId1')]",
-              "version": "[variables('workbookVersion1')]"
+              "kind": "AnalyticsRule",
+              "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
+              "version": "[variables('analyticRuleObject8').analyticRuleVersion8]"
             }
           ]
         },
diff --git a/Solutions/Flare/Package/testParameters.json b/Solutions/Flare/Package/testParameters.json
new file mode 100644
index 00000000000..392dfab212e
--- /dev/null
+++ b/Solutions/Flare/Package/testParameters.json
@@ -0,0 +1,32 @@
+{
+  "location": {
+    "type": "string",
+    "minLength": 1,
+    "defaultValue": "[resourceGroup().location]",
+    "metadata": {
+      "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`.  We instead use the `workspace-location` which is derived from the LA workspace"
+    }
+  },
+  "workspace-location": {
+    "type": "string",
+    "defaultValue": "",
+    "metadata": {
+      "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+    }
+  },
+  "workspace": {
+    "defaultValue": "",
+    "type": "string",
+    "metadata": {
+      "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+    }
+  },
+  "workbook1-name": {
+    "type": "string",
+    "defaultValue": "FlareSystemsFirework",
+    "minLength": 1,
+    "metadata": {
+      "description": "Name for the workbook"
+    }
+  }
+}
diff --git a/Solutions/Flare/ReleaseNotes.md b/Solutions/Flare/ReleaseNotes.md
new file mode 100644
index 00000000000..219c02a2cdb
--- /dev/null
+++ b/Solutions/Flare/ReleaseNotes.md
@@ -0,0 +1,12 @@
+# Release Notes
+
+Release notes are available starting from version 2.2.0.
+Earlier versions did not have published release notes.
+
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|--------------------|
+| 2.2.0       | 11-12-2024                     | Fixed Analytic Rules to handle missing columns using `column_ifexists()`. |
+|             |                                | Fixed risk score comparisons (was comparing numbers to strings). |
+|             |                                | Improved Analytic Rule descriptions. |
+|             |                                | Added `ReleaseNotes.md` file. |
+| 1.0.0       | 21-10-2021                     | Initial Solution Release. |