Minor version update for the Flare Sentinel: V2.2.0

Solutions/Flare/Analytic Rules/FlareCloudBucket.yaml

@@ -18,6 +18,9 @@ relevantTechniques:
   - T1593
 query: |
   Firework_CL
-  | where source_s contains "Grayhat_warfare" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 1.0.1
+  | extend source = column_ifexists("source_s", "")
+  | extend risk_score = column_ifexists("risk_score_d", 0.0)
+  | where source contains "Grayhat_warfare"
+  | where risk_score >= 3
+version: 1.0.2
 kind: Scheduled

Solutions/Flare/Analytic Rules/FlareCredentialLeaks.yaml

@@ -18,6 +18,8 @@ relevantTechniques:
   - T1110
 query: |
   Firework_CL
-  | where notempty(data_new_leaks_s) and source_s != 'stealer_logs_samples'
-version: 1.0.2
+  | extend data_new_leaks = column_ifexists("data_new_leaks_s", "")
+  | extend source = column_ifexists("source_s", "")
+  | where isnotempty(data_new_leaks) and source != "stealer_logs_samples"
+version: 1.0.3
 kind: Scheduled

Solutions/Flare/Analytic Rules/FlareDork.yaml

@@ -18,6 +18,9 @@ relevantTechniques:
   - T1593
 query: |
   Firework_CL
-  | where source_s contains "google_search" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 1.0.1
+  | extend source = column_ifexists("source_s", "")
+  | extend risk_score = column_ifexists("risk_score_d", 0.0)
+  | where source contains "google_search"
+  | where risk_score >= 3
+version: 1.0.2
 kind: Scheduled

Solutions/Flare/Analytic Rules/FlareHost.yaml

@@ -18,6 +18,9 @@ relevantTechniques:
   - T1596
 query: |
   Firework_CL
-  | where source_s contains "driller_shodan" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 1.0.1
+  | extend source = column_ifexists("source_s", "")
+  | extend risk_score = column_ifexists("risk_score_d", 0.0)
+  | where source contains "driller_shodan"
+  | where risk_score >= 3
+version: 1.0.2
 kind: Scheduled

Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml

@@ -18,6 +18,10 @@ relevantTechniques:
   - T1555
 query: |
   Firework_CL
-  | where category_name_s contains "Infected Device" or source_s=="genesis_market" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 1.0.1
+  | extend category_name = column_ifexists("category_name_s", "")
+  | extend source = column_ifexists("source_s", "")
+  | extend risk_score = column_ifexists("risk_score_d", 0.0)
+  | where category_name contains "Infected Device" or source == "genesis_market"
+  | where risk_score >= 3
+version: 1.0.2
 kind: Scheduled

Solutions/Flare/Analytic Rules/FlarePaste.yaml

@@ -18,6 +18,9 @@ relevantTechniques:
   - T1593
 query: |
   Firework_CL
-  | where source_s in ("gist_github","Pastebin","driller_stackexchange") and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 1.0.1
+  | extend source = column_ifexists("source_s", "")
+  | extend risk_score = column_ifexists("risk_score_d", 0.0)
+  | where source in ("gist_github", "Pastebin", "driller_stackexchange")
+  | where risk_score >= 3
+version: 1.0.2
 kind: Scheduled

Solutions/Flare/Analytic Rules/FlareSSLcert.yaml

@@ -18,6 +18,9 @@ relevantTechniques:
   - T1583
 query: |
   Firework_CL
-  | where source_s contains "certstream" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 1.0.1
+  | extend source = column_ifexists("source_s", "")
+  | extend risk_score = column_ifexists("risk_score_d", 0.0)
+  | where source contains "certstream"
+  | where risk_score >= 3
+version: 1.0.2
 kind: Scheduled

Solutions/Flare/Analytic Rules/FlareSourceCode.yaml

@@ -18,6 +18,9 @@ relevantTechniques:
   - T1593
 query: |
   Firework_CL
-  | where source_s contains "driller_github" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 1.0.1
+  | extend source = column_ifexists("source_s", "")
+  | extend risk_score = column_ifexists("risk_score_d", 0.0)
+  | where source contains "driller_github"
+  | where risk_score >= 3
+version: 1.0.2
 kind: Scheduled

Solutions/Flare/Data Connectors/Connector_REST_API_FlareSystemsFirework.json

@@ -70,7 +70,7 @@
             "description": "",
             "innerSteps": [
                 {
-                    "description": "As an organization administrator, authenticate on [Flare](https://app.flare.systems) and access the [team page](https://app.flare.systems#/team) to create a new alert channel."
+                    "description": "As an organization administrator, authenticate on [Flare](https://app.flare.io) and access the [alert page](https://app.flare.io/#/alerts?activeTab=alert-channels) to create a new alert channel."
                 },
                 {
                     "description": "Click on 'Create a new alert channel' and select 'Microsoft Sentinel'. Enter your Shared Key And WorkspaceID. Save the Alert Channel. \n For more help and details, see our [Azure configuration documentation](https://docs.microsoft.com/azure/sentinel/connect-data-sources).",
@@ -129,4 +129,4 @@
             "link": "https://flare.systems/company/contact/"
         }
     }
-}
+}

Solutions/Flare/Data/Solution_FlareSystemsFirework.json

@@ -1,8 +1,8 @@
 {
   "Name": "Flare",
-  "Author": "Microsoft - support@microsoft.com",
+  "Author": "Flare Integration Team - support@flare.io",
   "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Flare.svg\"width=\"75px\"height=\"75px\">",
-  "Description": "The Flare Systems [Firework](https://flare.systems/firework/) solution allows you to receive data and intelligence from Firework on Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs. \n\n a .[Azure Monitor HTTP Data Collector API ](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)",
+  "Description": "The Flare Systems [Firework](https://flare.io/platform/) solution allows you to receive data and intelligence from Firework on Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs. \n\n a .[Azure Monitor HTTP Data Collector API ](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)",
   "Data Connectors": [
     "Data Connectors/Connector_REST_API_FlareSystemsFirework.json"
   ],
@@ -15,7 +15,6 @@
   "Analytic Rules": [
     "Analytic Rules/FlareCloudBucket.yaml",
     "Analytic Rules/FlareCredentialLeaks.yaml",
-    "Analytic Rules/FlareDarkweb.yaml",
     "Analytic Rules/FlareDork.yaml",
     "Analytic Rules/FlareHost.yaml",
     "Analytic Rules/FlareInfectedDevice.yaml",
@@ -24,8 +23,8 @@
     "Analytic Rules/FlareSSLcert.yaml"
   ],
   "BasePath": "C:\\GitHub\\azure-sentinel\\Solutions\\Flare",
-  "Version": "2.1.0",
+  "Version": "2.2.0",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true,
   "Is1PConnector": false
-}
+}

Solutions/Flare/Package/createUiDefinition.json

@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Flare/Data%20Connectors/Logo/Flare.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nFlare identifies your company’s digital assets made publicly available due to human error or malicious attacks. \n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 9, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Flare.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Flare/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Flare Systems [Firework](https://flare.io/platform/) solution allows you to receive data and intelligence from Firework on Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs. \n\n a .[Azure Monitor HTTP Data Collector API ](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 8, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -64,7 +64,7 @@
             }
           },
           {
-            "name": "dataconnectors-link2",
+            "name": "dataconnectors-link1",
             "type": "Microsoft.Common.TextBlock",
             "options": {
               "link": {
@@ -146,52 +146,38 @@
           {
             "name": "analytic1",
             "type": "Microsoft.Common.Section",
-            "label": "Flare Leaked Credentials",
+            "label": "Flare Cloud bucket result",
             "elements": [
               {
                 "name": "analytic1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Searches for Flare Leaked Credentials"
+                  "text": "Results found on an publicly available cloud bucket"
                 }
               }
             ]
           },
           {
             "name": "analytic2",
             "type": "Microsoft.Common.Section",
-            "label": "Flare Cloud bucket result",
+            "label": "Flare Leaked Credentials",
             "elements": [
               {
                 "name": "analytic2-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Results found on an publicly available cloud bucket"
+                  "text": "Searches for Flare Leaked Credentials"
                 }
               }
             ]
           },
           {
             "name": "analytic3",
             "type": "Microsoft.Common.Section",
-            "label": "Flare Darkweb result",
-            "elements": [
-              {
-                "name": "analytic3-text",
-                "type": "Microsoft.Common.TextBlock",
-                "options": {
-                  "text": "Result found on a darkweb platform"
-                }
-              }
-            ]
-          },
-          {
-            "name": "analytic4",
-            "type": "Microsoft.Common.Section",
             "label": "Flare Google Dork result found",
             "elements": [
               {
-                "name": "analytic4-text",
+                "name": "analytic3-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
                   "text": "Results using a dork on google was found"
@@ -200,12 +186,12 @@
             ]
           },
           {
-            "name": "analytic5",
+            "name": "analytic4",
             "type": "Microsoft.Common.Section",
             "label": "Flare Host result",
             "elements": [
               {
-                "name": "analytic5-text",
+                "name": "analytic4-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
                   "text": "Results found relating to IP, domain or host"
@@ -214,12 +200,12 @@
             ]
           },
           {
-            "name": "analytic6",
+            "name": "analytic5",
             "type": "Microsoft.Common.Section",
             "label": "Flare Infected Device",
             "elements": [
               {
-                "name": "analytic6-text",
+                "name": "analytic5-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
                   "text": "Infected Device found on darkweb or Telegram"
@@ -228,12 +214,12 @@
             ]
           },
           {
-            "name": "analytic7",
+            "name": "analytic6",
             "type": "Microsoft.Common.Section",
             "label": "Flare Paste result",
             "elements": [
               {
-                "name": "analytic7-text",
+                "name": "analytic6-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
                   "text": "Result found on code Snippet (paste) sharing platform"
@@ -242,12 +228,12 @@
             ]
           },
           {
-            "name": "analytic8",
+            "name": "analytic7",
             "type": "Microsoft.Common.Section",
             "label": "Flare Source Code found",
             "elements": [
               {
-                "name": "analytic8-text",
+                "name": "analytic7-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
                   "text": "Result found on Code Sharing platform"
@@ -256,12 +242,12 @@
             ]
           },
           {
-            "name": "analytic9",
+            "name": "analytic8",
             "type": "Microsoft.Common.Section",
             "label": "Flare SSL Certificate result",
             "elements": [
               {
-                "name": "analytic9-text",
+                "name": "analytic8-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
                   "text": "SSL Certificate registration found"