From 43721bce80065d950c82050dbd7692a8cef6f723 Mon Sep 17 00:00:00 2001
From: "jean-charles.verdier" <jean-charles.verdier@flare.io>
Date: Tue, 21 Apr 2026 16:54:32 -0400
Subject: [PATCH] Flare Solution 3.1.0

- removed deprecated columns in Analytic Rules and Workbooks
- updated existing Analytic Rules and Workbook queries
- replaced deprecated SSLCertificate rule with new LookalikeDomain rule
- added two new Analytic Rules for Market and Chat events
---
 Solutions/Flare/Analytic Rules/FlareChat.yaml |   25 +
 .../Analytic Rules/FlareCloudBucket.yaml      |    8 +-
 .../Analytic Rules/FlareCredentialLeaks.yaml  |   10 +-
 Solutions/Flare/Analytic Rules/FlareDork.yaml |   11 +-
 Solutions/Flare/Analytic Rules/FlareHost.yaml |    8 +-
 .../Analytic Rules/FlareInfectedDevice.yaml   |   10 +-
 .../Analytic Rules/FlareLookalikeDomain.yaml  |   25 +
 .../Flare/Analytic Rules/FlareMarket.yaml     |   25 +
 .../Flare/Analytic Rules/FlarePaste.yaml      |    8 +-
 .../Flare/Analytic Rules/FlareSSLcert.yaml    |   23 -
 .../Flare/Analytic Rules/FlareSourceCode.yaml |   11 +-
 .../Data/Solution_FlareSystemsFirework.json   |    8 +-
 Solutions/Flare/Package/3.1.0.zip             |  Bin 0 -> 16151 bytes
 .../Flare/Package/createUiDefinition.json     |   62 +-
 Solutions/Flare/Package/mainTemplate.json     | 2668 ++++++++++-------
 .../credential-warning/azuredeploy.json       |    4 +-
 Solutions/Flare/ReleaseNotes.md               |    4 +-
 .../FlareSystemsFireworkOverview.json         |   14 +-
 18 files changed, 1714 insertions(+), 1210 deletions(-)
 create mode 100644 Solutions/Flare/Analytic Rules/FlareChat.yaml
 create mode 100644 Solutions/Flare/Analytic Rules/FlareLookalikeDomain.yaml
 create mode 100644 Solutions/Flare/Analytic Rules/FlareMarket.yaml
 delete mode 100644 Solutions/Flare/Analytic Rules/FlareSSLcert.yaml
 create mode 100644 Solutions/Flare/Package/3.1.0.zip

diff --git a/Solutions/Flare/Analytic Rules/FlareChat.yaml b/Solutions/Flare/Analytic Rules/FlareChat.yaml
new file mode 100644
index 00000000000..24df94d24da
--- /dev/null
+++ b/Solutions/Flare/Analytic Rules/FlareChat.yaml	
@@ -0,0 +1,25 @@
+id: 76210211-3ade-47b6-b7f2-c871cd05ec43
+name: Flare Chat Results
+description: |
+    'The Chat category includes conversations and posts from real-time messaging environments used by threat actors and fraud communities.'
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: Flare
+    dataTypes:
+      - FireworkV2_CL
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Reconnaissance
+relevantTechniques:
+  - T1593
+query: |
+  FireworkV2_CL
+  | where notempty(uid) and RiskScore >= 3
+  | extend index_name = split(uid, "/")[0]
+  | where index_name == "chat_message"
+version: 1.0.0
+kind: Scheduled
diff --git a/Solutions/Flare/Analytic Rules/FlareCloudBucket.yaml b/Solutions/Flare/Analytic Rules/FlareCloudBucket.yaml
index 5d3ef97d353..849c68aa00d 100644
--- a/Solutions/Flare/Analytic Rules/FlareCloudBucket.yaml	
+++ b/Solutions/Flare/Analytic Rules/FlareCloudBucket.yaml	
@@ -1,5 +1,5 @@
 id: 9cb7c337-f172-4af6-b0e8-b6b7552d762d
-name: Flare Cloud bucket result
+name: Flare Cloud Bucket Results
 description: |
     'Results found on an publicly available cloud bucket'
 severity: Medium
@@ -18,6 +18,8 @@ relevantTechniques:
   - T1593
 query: |
   FireworkV2_CL
-  | where source_s contains "Grayhat_warfare" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 2.0.0
+  | where notempty(uid) and RiskScore >= 3
+  | extend index_name = split(uid, "/")[0]
+  | where index_name == "driller_bucket_object" or index_name == "bucket"
+version: 3.0.0
 kind: Scheduled
diff --git a/Solutions/Flare/Analytic Rules/FlareCredentialLeaks.yaml b/Solutions/Flare/Analytic Rules/FlareCredentialLeaks.yaml
index 37c2309f558..79baca5fc8f 100644
--- a/Solutions/Flare/Analytic Rules/FlareCredentialLeaks.yaml	
+++ b/Solutions/Flare/Analytic Rules/FlareCredentialLeaks.yaml	
@@ -1,7 +1,7 @@
 id: 9cb7c337-f170-4af6-b0e8-b6b7552d762d
-name: Flare Leaked Credentials
+name: Flare Leaked Credentials Results
 description: |
-    'Searches for Flare Leaked Credentials'
+    'Leaked credentials results'
 severity: Medium
 status: Available
 requiredDataConnectors:
@@ -18,6 +18,8 @@ relevantTechniques:
   - T1110
 query: |
   FireworkV2_CL
-  | where notempty(data_new_leaks_s) and source_s != 'stealer_logs_samples'
-version: 2.0.0
+  | where notempty(uid) and RiskScore >= 3
+  | extend index_name = split(uid, "/")[0]
+  | where index_name == "leaked_credential"
+version: 3.0.0
 kind: Scheduled
diff --git a/Solutions/Flare/Analytic Rules/FlareDork.yaml b/Solutions/Flare/Analytic Rules/FlareDork.yaml
index 8420d20e8ac..b3107e7c320 100644
--- a/Solutions/Flare/Analytic Rules/FlareDork.yaml	
+++ b/Solutions/Flare/Analytic Rules/FlareDork.yaml	
@@ -1,7 +1,7 @@
 id: 9cb7c337-f174-4af6-b0e8-b6b7552d762d
-name: Flare Google Dork result found
+name: Flare Google Dork Results
 description: |
-    'Results using a dork on google was found'
+    'Results using a Dork on Google was found'
 severity: Medium
 status: Available
 requiredDataConnectors:
@@ -18,6 +18,9 @@ relevantTechniques:
   - T1593
 query: |
   FireworkV2_CL
-  | where source_s contains "google_search" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 2.0.0
+  | where notempty(uid) and RiskScore >= 3
+  | extend index_name = split(uid, "/")[0]
+  | extend category_name = split(uid, "/")[1]
+  | where (index_name == "driller_google") or (index_name == "driller" and category_name contains "google")
+version: 3.0.0
 kind: Scheduled
diff --git a/Solutions/Flare/Analytic Rules/FlareHost.yaml b/Solutions/Flare/Analytic Rules/FlareHost.yaml
index 59f06789315..d9fb6f126c1 100644
--- a/Solutions/Flare/Analytic Rules/FlareHost.yaml	
+++ b/Solutions/Flare/Analytic Rules/FlareHost.yaml	
@@ -1,5 +1,5 @@
 id: 9cb7c337-f175-4af6-b0e8-b6b7552d762d
-name: Flare Host result
+name: Flare Host Results
 description: |
     'Results found relating to IP, domain or host'
 severity: Medium
@@ -18,6 +18,8 @@ relevantTechniques:
   - T1596
 query: |
   FireworkV2_CL
-  | where source_s contains "driller_shodan" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 2.0.0
+  | where notempty(uid) and RiskScore >= 3
+  | extend index_name = split(uid, "/")[0]
+  | where index_name == "service"
+version: 3.0.0
 kind: Scheduled
diff --git a/Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml b/Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml
index d19c0371c46..2662cac7d16 100644
--- a/Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml	
+++ b/Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml	
@@ -1,7 +1,7 @@
 id: 9cb7c337-f176-4af6-b0e8-b6b7552d762d
-name: Flare Infected Device
+name: Flare Infected Device Results
 description: |
-    'Infected Device found on darkweb or Telegram'
+    'Infected Device Results on Darkweb or Telegram'
 severity: Medium
 status: Available
 requiredDataConnectors:
@@ -18,6 +18,8 @@ relevantTechniques:
   - T1555
 query: |
   FireworkV2_CL
-  | where category_name_s contains "Infected Device" or source_s=="genesis_market" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 2.0.0
+  | where notempty(uid) and RiskScore >= 3
+  | extend index_name = split(uid, "/")[0]
+  | where index_name in ("bot", "stealer_log")
+version: 3.0.0
 kind: Scheduled
diff --git a/Solutions/Flare/Analytic Rules/FlareLookalikeDomain.yaml b/Solutions/Flare/Analytic Rules/FlareLookalikeDomain.yaml
new file mode 100644
index 00000000000..0907650b64d
--- /dev/null
+++ b/Solutions/Flare/Analytic Rules/FlareLookalikeDomain.yaml	
@@ -0,0 +1,25 @@
+id: 8e5ae0d6-7f2d-475e-ada3-ed33441deeba
+name: Flare Lookalike Domain Results
+description: |
+    'Look-alike domains are a primary vector for phishing and brand impersonation. Flare provides automated monitoring to detect these domains when they are registered or issued an SSL certificate.'
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: Flare
+    dataTypes:
+      - FireworkV2_CL
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Reconnaissance
+relevantTechniques:
+  - T1593
+query: |
+  FireworkV2_CL
+  | where notempty(uid) and RiskScore >= 3
+  | extend index_name = split(uid, "/")[0]
+  | where index_name == "domain"
+version: 1.0.0
+kind: Scheduled
diff --git a/Solutions/Flare/Analytic Rules/FlareMarket.yaml b/Solutions/Flare/Analytic Rules/FlareMarket.yaml
new file mode 100644
index 00000000000..686f6d80e58
--- /dev/null
+++ b/Solutions/Flare/Analytic Rules/FlareMarket.yaml	
@@ -0,0 +1,25 @@
+id: 9265ae4d-6bb0-4c18-961d-f7aae67d1546
+name: Flare Marketplace Results
+description: |
+    'The Marketplaces category includes underground markets and shops where illicit goods and services are bought and sold.'
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: Flare
+    dataTypes:
+      - FireworkV2_CL
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Reconnaissance
+relevantTechniques:
+  - T1593
+query: |
+  FireworkV2_CL
+  | where notempty(uid) and RiskScore >= 3
+  | extend index_name = split(uid, "/")[0]
+  | where index_name == "listing"
+version: 1.0.0
+kind: Scheduled
diff --git a/Solutions/Flare/Analytic Rules/FlarePaste.yaml b/Solutions/Flare/Analytic Rules/FlarePaste.yaml
index 2f70dc15703..6558e8328e2 100644
--- a/Solutions/Flare/Analytic Rules/FlarePaste.yaml	
+++ b/Solutions/Flare/Analytic Rules/FlarePaste.yaml	
@@ -1,5 +1,5 @@
 id: 9cb7c337-f177-4af6-b0e8-b6b7552d762d
-name: Flare Paste result
+name: Flare Paste Results
 description: |
     'Result found on code Snippet (paste) sharing platform'
 severity: Medium
@@ -18,6 +18,8 @@ relevantTechniques:
   - T1593
 query: |
   FireworkV2_CL
-  | where source_s in ("gist_github","Pastebin","driller_stackexchange") and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 2.0.0
+  | where notempty(uid) and RiskScore >= 3
+  | extend index_name = split(uid, "/")[0]
+  | where index_name == "paste"
+version: 3.0.0
 kind: Scheduled
diff --git a/Solutions/Flare/Analytic Rules/FlareSSLcert.yaml b/Solutions/Flare/Analytic Rules/FlareSSLcert.yaml
deleted file mode 100644
index 5a174d4f0c5..00000000000
--- a/Solutions/Flare/Analytic Rules/FlareSSLcert.yaml	
+++ /dev/null
@@ -1,23 +0,0 @@
-id: 9cb7c337-f179-4af6-b0e8-b6b7552d762d
-name: Flare SSL Certificate result
-description: |
-    'SSL Certificate registration found'
-severity: Medium
-status: Available
-requiredDataConnectors:
-  - connectorId: Flare
-    dataTypes:
-      - FireworkV2_CL
-queryFrequency: 1h
-queryPeriod: 1h
-triggerOperator: gt
-triggerThreshold: 0
-tactics:
-  - ResourceDevelopment
-relevantTechniques:
-  - T1583
-query: |
-  FireworkV2_CL
-  | where source_s contains "certstream" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 2.0.0
-kind: Scheduled
diff --git a/Solutions/Flare/Analytic Rules/FlareSourceCode.yaml b/Solutions/Flare/Analytic Rules/FlareSourceCode.yaml
index bde6f625d60..904de5699ae 100644
--- a/Solutions/Flare/Analytic Rules/FlareSourceCode.yaml	
+++ b/Solutions/Flare/Analytic Rules/FlareSourceCode.yaml	
@@ -1,7 +1,7 @@
 id: 9cb7c337-f178-4af6-b0e8-b6b7552d762d
-name: Flare Source Code found
+name: Flare Source Code Results
 description: |
-    'Result found on Code Sharing platform'
+    'Results found on code sharing platforms'
 severity: Medium
 status: Available
 requiredDataConnectors:
@@ -18,6 +18,9 @@ relevantTechniques:
   - T1593
 query: |
   FireworkV2_CL
-  | where source_s contains "driller_github" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 2.0.0
+  | where notempty(uid) and RiskScore >= 3
+  | extend index_name = split(uid, "/")[0]
+  | extend category_name = split(uid, "/")[1]
+  | where index_name == "driller" and category_name contains "github"
+version: 3.0.0
 kind: Scheduled
diff --git a/Solutions/Flare/Data/Solution_FlareSystemsFirework.json b/Solutions/Flare/Data/Solution_FlareSystemsFirework.json
index 4969ebe4366..bbd488aa5eb 100644
--- a/Solutions/Flare/Data/Solution_FlareSystemsFirework.json
+++ b/Solutions/Flare/Data/Solution_FlareSystemsFirework.json
@@ -13,17 +13,19 @@
     "Playbooks/credential-warning/azuredeploy.json"
   ],
   "Analytic Rules": [
+    "Analytic Rules/FlareChat.yaml",
     "Analytic Rules/FlareCloudBucket.yaml",
     "Analytic Rules/FlareCredentialLeaks.yaml",
     "Analytic Rules/FlareDork.yaml",
     "Analytic Rules/FlareHost.yaml",
     "Analytic Rules/FlareInfectedDevice.yaml",
+    "Analytic Rules/FlareLookalikeDomain.yaml",
+    "Analytic Rules/FlareMarket.yaml",
     "Analytic Rules/FlarePaste.yaml",
-    "Analytic Rules/FlareSourceCode.yaml",
-    "Analytic Rules/FlareSSLcert.yaml"
+    "Analytic Rules/FlareSourceCode.yaml"
   ],
   "BasePath": "C:\\GitHub\\azure-sentinel\\Solutions\\Flare",
-  "Version": "3.0.0",
+  "Version": "3.1.0",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": false,
   "Is1PConnector": false
diff --git a/Solutions/Flare/Package/3.1.0.zip b/Solutions/Flare/Package/3.1.0.zip
new file mode 100644
index 0000000000000000000000000000000000000000..597facce9a2d087ba3799c4f406d6e2d71ef647d
GIT binary patch
literal 16151
zcmZ|0b8u!&^er6Qp4hf+^NDTSPn=9_+n(6=#OA~kJDJ$d&HMZQ`0CzU_nfM;>zrQI
z)xFQ|RjYUP2FQU!V1R&tz<|^{r|W%AH%3Imfq?9>fPi3se>HV6H+C~uw-z_Iuy(L^
zvvzb~v~hKG*wp!O_$!I_C8We+gj{bXos#U2myT7tNeP-0joO8X1O!x%p>~uVB6W2&
z7d?V)G;I`bCgWSY&}7=|i8ls+?u&2ip8I|Rf!qQ7ATXa6#Taa;_@W8C>3;{uOMKBR
zM57_t78x=6u%QMc8f~T(kp{wdi=7>=b@ohL>;T;FFKe(fC25LDNcq?k<A#mbhH3Yf
z{Sj@lp>deFTW1|H2-;a4*JDkW%+%I(^I9@l)|#!fny$v;VMwuvNW1aSARr>*-jvBl
zT*AZ`bT3`Z&Q36Fh4gV}p%wM4Hii$gCe4Y79aWqkT~lcFl-|Be8N(408Pe%ke+G&o
zrTI7!@rM5aJ_+)RfhxsWW&^zJ$*QtrivB7CMpkvnRYoMH>4Lp*y`QWBu9zj%$%`C9
zeO(Kh-T_}k2iHykL^Bw0(MC>TQ22pzs1_v{3?+(2QEaR*D!NoDdsN*HGMLrFB+PYR
zAIE*y3%U;GsEmdt<JoPEb<izIr9s&(E>H~`7u_Zr6<ifs-f_lQ$X)?Ppo}W)Fqv8d
z7`raD)`cQEx^7%puBaA3ld4!7k(x5b$nb<>XHlCvT3s=n@=zQR|36x53V5OPOA=8#
z=3#fG?it$c?=rZ037KtZ)7`V=3N92IG4h;0S|8ERA>id`J?Vl`Cu~EsxIslniCe@<
z&4PGEGk#1I93ht!M*5duoRzL`e`$|eEhatKS~D`sa?r?<>rm5=gulI&qAj$7@vun2
zgPBYzkCqoxTs7k|*A7}A95$zr%*CA2w_e>UQtL<kddymM^3wQaG-@g6(L|XpAdKOq
zIHG_-DXLIeO>n1r*dSisAeOAn`3oH>5Wy@5+-MGK;zp4)P9OpXQiaN@C&=ul3wx1H
z#27E$D-Ja1ZfU%#r=kuo>-GKK9)jX3-e?Ji<oo%_`H$wtQH(W?`5xZGZD$SEENa>F
zkWJn=8%fhdIikOBZ%arzZ;+ETZ%z<zZ*^l+W#V^_<B3={r)CgL@S%tM;Qs!<h8j!F
zYSYW8W5QwvHRLOt1a@7>?7QdOFA;XPos#8}YXUx9l08`@#Nt~qh1X5iCC0FLLBWF4
z;Lvw73vGX-*ZZ!K{AAqgEAO$&=c1Y_S!-=N{Ph&#{fi+yCf7-FO;6m4%B$x|oSJ>+
zuNPYrCejvYwzU#XVj@+J^8z$M=gRcgHc-Bl8qLpQVh%R0wB^{BeS%vu;F>>`rOam9
z1Oh$;f<Rhx55}^&2tphafQ5_a2Kg^yu&kolrLtZS#wWDa?|BH2SSNS6dpXLrz+3SW
z<NoW!$!qSTZEuaR(Vf^0Ntb~Yi&A<nm$1j?;7WQwt)tAUXKu*R)2y*rk1!b+wm2at
zekR&@9SA*|sisHv+ieYZJV-7S+)N+Gb~TTQZmItt5*E)q%VlGnbb7|n6cf5(ZAPGI
zZo6B(NoPN^*+W=y@a{iG=-@s~D}5#Tk|7G&>x0qgR2&4CU6nq4ab7fsx#{2i%qcfk
zb?6UQ+0@(7dT~{^XE(*cQqcRsjw8^>PhoYz*@Oi4kDGfR8$fw&NnU=Il>9kSkI2-F
zB9pT%n6cCdW(v%7%>51zxCq7eugGIlF|R4}5m8#mC_e=q_kjX*$VZ^DQ7)<q-`{Lf
zoG((fz-}Bp3sRyK5^m~b<N7w-YoEdEtZ^y8JmT(+$M4kAgmonR+yyX&7OV+R?x0s~
z$1%ikG92mf%;RKuQ)j^N%odSmX-{3yV3m<0g#6JqZvU1#b0=Ik`A3!GQ`lgtQSE>>
zZj9qkkx?Cnb2sUURd4;m5ciBeaB>`$;-i=g#DW&rb~!e6(h>O6Zkzzg2y?$if43S?
z_dWpfDAIQO1G<?htKJUYQ*e=0?<dsDh5>R-(ho;KxJPWLyZ&T>hI)Q1fSF7cv%@k}
zLAOTinF<pH_F^_wFe)i|QEw|N@3vT>7$wdEY5Eu6Sj2GVc!(SuBbRb?#oop~hJGrr
z^Bkj6hQzeLv}qB51#4e8`CzsxaHi9)6W#aZwxuN_5YVoAe1jw~+ePAAY)}PZ=IW`M
z`qFFg%abxRar5nMWTCb8h7$9tfyvHx#MXD)f%7K#;r3Ync*r}j1@41O!=6Q;21bLJ
zlj}Jez*-w!wbLHS7}xo!!Z<eGxwN7v?GaVlhBsfN+5UG|oa_$)Sx8SHN((tS-vOO%
z6z$W>inz4W;XjDp_B4B_;|Dhj*rj3U7mdFj?ta)1T2wK?1Iu(R#C)=s%X@<V1T&kr
zWcNA;5)(z2p8l|qH7o7wmRvE!Jb%`E&S*(&zB(+SeCAYiGPpCD<$8+QY^F3BF85-*
zF_-lX-q4+DVEz)cGz&8dQEWdonJ~Q^=E%w`H}II4-mVkEan7zXX4+fMjj$(n*j6M8
zZSNV_L~_Q<yd-ee%yw+iGlF9bWZrKjUH8xgeAccp<ZE!R5%gQxj`Xp{jGVM1xzOOP
z#T5_mPV@%2qgu?@vHJT;hT)~fruDrt?$>SBVd{o%uAk_J>2n`VUdnA7w)_R%lw5cN
z)pywODJ9)yCTW7GAX6W*>To!^lw32uw;psdo4m{vxfEiPx3sE}=H3Jt%89Mx^*^n=
zFsevGzyye0>sd%*u!yIaLk8@LzBxzuM_YL|UswUuhOWg>r=6vgZ%+J+iWVR()J`&l
z0$>omSkzfn<WN>bY2)(~R|3u+`sj%Kd(DaRiZV<QMxjihI10}l_+MT=JR4P*&dN3Y
z2^&2Q>zP{5>#4*eMY(sCe)8QcVn1cO9)2jMz$Mi_=ts~JTunF{I;=S=jbFl$_q}5X
zFBG8ljvm0|<;D{Kig^PyBc|}NJb7M9%YBreoroKTHJF6)*zc>m91Xy8+t1-cwdnm#
z<8uXuNhxXOaoAti=GTil9h&4SDNmHh=e)b}<kpEgJz5Gh@6|TSg*=e77@*(nyx2Le
zXtwqWh%vT#caljfZYc4K#M2;nKNBl}ROX(5fR<h&t8DD*K3hyCTxyNR_-Lyu#r|zX
z>eUEsibNvhhVF{!?(YwWic4jg^zVX?&bM#P1t5TJ5jPW{wV}Z8=Niyf80XM>tf6*o
zrfkB0WSQ68y|kL*LIlN6UYZh95*$KZtI^>xjIiddO6w_KhL5LmlPl5RrW+T;mS^xc
z_N%XFmaM1eQ5=IT$2Rl$#3-SuSFFC`8URpg+Dv^TB(z%#I6jnmHPvw85{L~}DrBwt
zXuoWW?*iSdOw3sswC;&LuyC`7k3Hzk6|79$pxd~>9gmgI7bok`D8InxGQ2U<nAS+!
z{x{1)8{;PDX<UTirB`Z4PLvuNm~XJeQl_Z5PKq#Nh~I<XI+%LpAd}7!LR6FaTA?f<
z7c<HB3-i7RwK=Qq6lN#4<<w^na)pdPpLrPQ{}Ucnu(N%hpsm=+FW2#C@{h4yV%hLL
z8Q!iv&U-4}?ueAwhTDK`jmIK<AFLRis)$;9x7Lpao6+f!+|!927s^=oVC0-;G~T0^
za^&1r++D{|K&$^?yxh`XuD#on#R;u6qMAzglQ?zvQOV%R*U<vG`I%l8nOTD+1R~wL
zi{LioPh`OVreD`C|Ek5Yfq*36fr6lZ>sNbYYX>!RdndbZ75hKR^}_GNWuLS0>gx`J
z+Wg=8R+8CdK3nosj{CX7UUKG;$GJ>p?cuE`Ik~X{DuVF3vqjk%|D<2@8+jWp2#r5_
z3H9W@@=S#t{a!Ji6+5mFd#6y3aQPjVvBEflhe7eo;*-FQw~y|}LcTG!(pXHpKhYPa
z(?Z*-d;t32F1}#Rp4^YE8Kb|Hd4q%n8x)ydNRKjK+d&=MZk=<z!+QDcpN=8$6M82W
zbK8Mms`-{fqnwY0UrJ0UqUFKh0TbL9@BRHb1%zmU$1Im$rU(H~G|3$1f7njch1cMZ
zAOy`BZ#fXHrnr+B+zg2CwSh;*ah5|=dQ)Al8KH$H_wb?wU;Sir<<~s!RGoapX`NRQ
zd^cseD^@5UHpwhV_+MP-5RJ>2R6&p%q(UxOp4qw|_0j*d<g8oW<p%Z^{~Wma8w<ig
zG;~>EJdaTfQF7k?xUENlxznC~a!gbTiT`|1^qB9;X#Cya)5qNRByjo>(qYe%z4~=V
zcF!lWh$-05*&OvwBl6X0`L5x)O4^e!7Et&`)AB0<&J11gDk63yXWHz>W0blQq!{kY
zH|>jV6uVHdRUp|}A>L@(xwA3D);Pd*A3ReU)ku1r9Ia3-M3od!7Y+d`0)h%UA}X3l
zjMT8x$JyyBvbF)!=V)iIugOes+>%iyddj-{@Kn!qu$PH;>tPoZr+?1>yoh$<FUu`*
zRWY1tWJ;uuvQozAY$OVK1J0Bm9y0YAWLYxaZB9;PRZaI`jAsQFOU;SLN)e>oefs*&
zt@WHe;9B1I!_n5YO6h`eeKn0$Iljk}FJfIm8$1(_1;}^O55i%rcs3FZy_=l*9OweZ
zpi#lg)`AH~Sss%xgMpnW+dG)Emndd}n>oeoz6dz{_mN#bq^{=YD)!lqIxTffsrRmv
zg*lj6*AQ!6Cp7mLZ7lB7-(rwTCdd=zGX~~NCwQ=b-l#sH*`vMht&vISafdE5a!V`T
zT<Iip%B><R=8xbPnklgg9npQ%+`|B*i-n`ZlxWB4*BL6~0|szLPlQU<&`xSX)Xq&=
zuS`N=6rvp*-Df~AT}yDEit1Q`%r%+5{PBs6@AWVxra~?-B@iDdKzJOOaRkKFL1b2v
zhz+6b{TX>FIos-uxB0s?076{m)56ZzHle!#6EEr3JEenk(BwRurcIeo?oj11X~*Hf
z=t)CINi)Y2sdemV#Hu)Yu}>ulCR$5wh`4cY0kTLCeel+&99*T;y&*(cDyp7H##swL
zgnPukb+(;3+;DKW_c{Vn%z<;}uPZBK1g6uOkobX}8=d8;zZ$1pN62U>V*va9D`{P%
zou9pTzN-ba#$wE`t<g4e5e+?PcVytt_}I&l4=b@xXq9t4YM>il=#u%8)4DpiI$44D
z_$~`Z=K-;H&T4^S!=J9vjnLdn_shE7f&<M6WSdrTJAeSR&;fnm{qaFcYC^IhiK1ew
zI1<mH+zCN8K(02wVenG*A64Cl9W<S`P@Zb5zYA=9U4FeV-t84n?BSPQa$@QiKN9P0
zep)+uvKHPu5m@*;?<-fsyT}GiOaSA;I<wl1i+B4yHvz#V5)cR-yhYe5<M?Iewu(m(
z>*2FJSsZA7g^ywz;J5|o&UMM08XIg7Ye#+%RR-tTWIpxpB~-zv7Pn$ig0CS#k7N_y
zilHa}oxz2*a{_>EF4vgSQXz1VHdcM7m|@gj+pI~@f8JVSOVroCP37Qie0+@a-tV7x
za3qRH_9-T~ZRFy`Cm_H-UzZB+0w$hcGBS2iZsJW|UPhU%#K5|)ZR+=&<2IC-d(3J9
zpJ>hgGv?#miF_R99(DR_o7!r?r@Wu%m(9doK1y;x51r)A54g2Wt~7mZR>cE<g|$sb
zP2dxD>gER(an~Ee*yZP+q|J|Iv!?=4AaabkW?Bro7eEz=yq>xlEMfk%13Pvp0^jI!
z-TaN<SQDsD*c3BeOQqNsCtOb190Zy_IVrCR_<}Y1tOlJE3Now-*eL+xY0aL-a4Zuj
z43og+f#-u;^PVf07eoXJgsnFQ@vA;QZ*Sn)38;)oo5jQCD<wXrYXUln=UFVqj9pSy
z>H1`8Hv0%nbY@Sb4d)X{bwFff=CwAT@Zxzz$8Fs1^B!LO)t(#Fk%Q|oLi}?gtntf9
ztovG#r;)}t7j^HIh;JYHy+GX8!pgOnKdFbF_p-MBFdKh9a#H(a;ki^h4Or}HIPdia
z;}l~-KWcnCvtC1xs#!w_&aIq`BrrWym)Ljft)}U%41GLkD-XDPi_E1W{ynU>*j}*e
zrGxg~SO_7dU;4xDcb=7hFb;2vg(C`^`94>;^){uSE6$6a#7si&%84v%jx(W;;h84J
zc<SmScULjzu8A(Pdb6xa(baqg)BNSkW!^3RrB}{|vWpN?h2I*MKHN=z`Jqj7gSwu_
zC2H#ZYcx+Mu+{}O&es?nuAh?7+5V;qZ#wAxCF=bY9lJBL%g_F(s`9pi#`)!}h&2>@
zg1^<_M!Z#(+{-n5^<M--JX^d|{s{l;!Byg?;v3K6?Q~W=Q4BGrlT6<AmDo;jXwk&Y
zURF?k1)Vi_tOp(w*We-|Bt`$=ZO`GK=8?4N)JVONaH{>QPo5iwUC+$-lqKX{p_>LP
z*M3gmk{oMJojuTpukN;4LCqAjG@Tfzm^B7m04Rt*IJT_jK@3>3y<#J1wyO1?MNg&{
zJ&*|)UuGz}ME6r~8K3Q-x|e?e08lw*e&^70OT@=MqU8%1b9`q)IZkKjiq4WV0|B>P
zu?lOMbHz&MUj!(h2|p6cM{*y1X0D{MU_USe{`T;Aak=epe+G*)XB#Vik)9A>ee!X>
z2-B11OLdE|y&oS@<R%hD!n=r_*SOiov(*PH#~9pG{#nosp|ZOh+k#uNdCmW~v7M^q
zUTJo@6Wnef=*dIZ<uWvwnuk-ew+l7vHCIpKXah9BLuN%Nn;)b7@}kv)VhVVN*6ua}
zu|-(iDE$yPYUAumhktUBolD)YtmP8>Ao4DAEVObasUZ$=3v8<|!$#|tFT8{>IDb}E
ztdB4Mhdx?}zNZ6Wydrs^6d(B$9YVE~u)N$awo`D@i*gQGNKR^yg#t{V{wG=VH2=Av
z9gNu@*oTJTdXyn-t1$bZZleRhq?fRFCLhEaDCq64euS<Frx|V&{ONizh6%91`YY3a
z8g8iW3{>?Md?HBwZ9|f-Oj7ge_k;0B@OJEQ)w+ApjEyXPJyc{6Z-ghKwPwH(?$hH5
zfaO2~7i3|fxE@$wAI_v<k%ON|K5D+I7kx6@jM4cb&exq{FDG4^7b}UZ3?5?=Di(Qw
zF+FV`*eriIJ7Mr*blf$`R>Qs;(f|>OP`=>d%<l25)yaU0<%U!-bc)s{3@_tO&tEur
zq4{wPzk)ptwjfR>`Vm;~H>e9ohMCj_$+^#N?H7^_5VUh3CMxzp+)t5`F9^s@2~9k~
z2ZBcDO^FHIE>Ogc+_p^#qK>ACLjK5Q0dJ}68Y|oTA`xN7tpa1qEyR1)?~%?Fv2;@)
zKgIlQ=+`^swh_S>C`h=)($H*9%&Y(XFpp=}|K;Ey!WF5UH2k9tHe9Llo~#k!?j7e`
zRER^HL!)(((epTk@fa>2`j%oQRH+-vTRW<$vpDDw+EFWBs9TCeh4`S>yEX>d+Q*kT
z03rn)FBe^~7)()u;vYMQZn`S1i6o-)A*zC7n4nltJJ4#3{2~oZ_3(+txy5+!S>R|P
zsz9{Oj_j;*q$^_IN8D&j&G`ju;UV#7F`07-3FP@9e>Q*eBPM?>zo5`07vn;*GC!($
zaw0!(n50QtwcE_w-9RHQ=+BY9m!oXQIp>|GOf~7V9jtQj${c5}B1)L^3!JZ~#r&dx
zPQlTW)jRykd>-UY^l+Uv=KE{SV>K|eL8Q*IIPejCY4ux$hB`{Z&VkBw^rMr}1(*WO
zW-sqs<Er=>-=!#I^qTB}T1v3l$P?1=&Nde~B_%=Wrd3VKLSiF4baB1>pBr!{&S1dC
zcaCLoBAJ^MB{Q;lgiuHE+e1iRc!+vJ<-;c3y~k)IJ&7pcfK$%oEMAwL9n?fe{U!d>
zB`(8M*ZN=b_vDOdv76R}PFVdo&ek*p>9yk%0JBj8N!Cxloi}rZfLf2&3(m#Dt`94k
z#154%kkZFE1@T@qHjO+Y_lQsyS9~BcDObL`)%paG;i00qE3K>@22ZDx)RsIc(M1Hs
zOXOLHVz^~`%{o;tu44aP@lfo}WZivDYtj;!X@_OE<Q%r!^Dl*mbGKpX5Y(IBP)|?{
zy(XcuUC*;HhxrP$d6kc+Q%USt4-LCZke5#)yDVjr#Y@<-Y#6!}%C+*fJZHv|rxz0b
zMAX4sPKUemW{EM+hO~D>2J)}9L#W?700D#}L)zUI6W8$Tn}w9yWYt(7Qiz83Cxq7>
z5Uiz$gmTnl0We!0f)~Ea9*oW!Lyu+s$M(CfL6#=En+f*=cNx6424nGGp#tk&s%>J9
zixT$*ZET+WJihpo7EBIn(qEWvti!c2w8imSBfu$^)sKi9Sm3GQ>zMIudDSxOzCHwK
z*Kgj&-|LnRP{gBoEBV0(w<yNi;?z#>aNu5GUY;rd^S5k!^`ky!J-kFYes8jX6YVIf
z28s(Bzja~84yjwdh3&T!QAuEwzPHrTMp((H$yPA0VazIlh^Z{TZir<Z%YKvKE9h@0
z;d{G1Q#ffZDpOKOy~e^A?rd#P;SJgi&7rtydKRJ}+}4evCjo==MMKX>>^x$2hu?CG
zfCjjb?9uwx8ws27#`xsgc)IihB`^FVlzxO?7lgIQ%GJa{JUh6z)PzSkEfvWC4Cb=x
z+WHJj1730}q~9r56a?d%#~im_!m=&MF(EQM+1%td4XrK{Up+=XCt50RQ5K>Y2COsK
zmCXqgBV47mM}zp9aE!#z5u*$!XCsOp6G(h~3`3xB9)UVj_`#;qrWW-mZhJ*fQ>B97
zRIK*~2I{bGNGo0@vfO)9iM(21B+I@{hpq`0Kj_mOX;PaoF4Vn@=k)UBk6bBzXpcw?
z)naqeyPb%S>m%Y4(&A4f`5bDm=A&tElLE@5b<*k-aOhcfzfvBF?XZ}t2H-90>6vn<
z>GkacaFFjhRM#g2uA;glu`+YcH|U3dFzuJA9T;F^cI%F{DR320mW@TypmNrYMY7aw
zKHE%IK|hKbPdh<~UTxwFBn--6JaVQd+eq*sXJ-^}M@3nQhs3q7LSaJo<Eak&Rk~g9
z9QDfG9zZBAFZRUx=t)w6qnO&g{I!^(3D@1zkysZF!?Zn1Tn^)AYUOqR*_RY1HXd^c
zpB%mTUf)oX%fR1Qh5mjz4&CH;h!S@V^(G@bONkP4$YVD`1(492VlZe?rE%L&(Lx$x
zWaN=_lf91L6Dt_bG1Bl3G%|vEb(0K<w=~G4$%s<wg0N*L-G`dFTz!h{(Fqz!f&UuW
zd)^{>M10hgL);*BjUsqmK_{l%nX!RQFo5EkNC<!nNqHIMha*@o@djg;cC1-K6V<Hd
zX)as0i3Bn77<e8;&p@`v-NeWxb&Y5s(&H~)Myt@iNRY06JCaFYElsW<Q>eyNLMYn<
z4wFB7Hr^@|Uw2O#uwVufze7<TNd7FVf#q;2?x2_5$&JvuU>y&wB=l0z=xG359??JF
zsNMjHF_^hluhYC1GQ2SWa}03^`ng_32tTINY=VYC>d|zTT9nVr54tZWe-ky_1S01z
zj&@mo_(xke+1Ov-Ji-Yszw_`UVURM>)Wa{OiJD4*)={idnuhvEjpwn$lK}#jD9POj
z#M?9Um_OjR-R`8tsk~ZHc<P>AOYM~EAB|PxQy5H+OV@L_-~IldV!O94ieZ-l3Eh{C
zOFrud$z@y-aiiIccU%>KcpEZl#M*ja3)B4HN)6jxW9CoUy1M#H1^BVs5w>h`JDBO+
ztT@0uLw5k?gEq2B<4`C<e!-1_wnLdvL=^cpOMf;I{n*jFUp?}cdA5<)W9eZB<kdKo
zKKpr22OLfcw&&er)Y-XcuE%+A=K*1guaX_^R3-eCn6YQPmi|3R)PSv*O)1O_bFpCP
z9~8ttbvcUV(Yf&$zqks3zBz;OXY&MEWXhd$?*jYT^nS)lL>=G^gV{qt!&}CISCIY?
z5@niz-N}{nv)M#ot_95nZf49{Qv<<lAJodOvzgGRf<Xz@?OLgvrOMGb?VaxFM09w<
zklWz+xn9jy^?{J|OqcqPbDXV8wT*?UHZi#_184BjihzGtMu&fK>_faf3XMzBZ>#3c
zj!)Dz=~79s(Iz@P$ztVAYI3HxUqWT^33q7Aq#hnG34^i8Jz3H5><JBXdYIs<=j=zc
z?b6GS=u+qEqv+N+J5_ZPrbyTRDA}itL~hNe4Mmkb$&F7gcuJpl)VLPuNWC`tM(U~c
zmN-lZTRCta#BtXtn><|<eY-6>1#~X80jiUFqcwfh&d$*>ce~!6pvQsGGK48V|F&&6
znzcj?zqt`Zku<v^E4UFF|A+c@*=z#>5d<Yp5+%+${ymZo<(DZe{fg&Bd3P_7P`B<x
zgr*M>Jw2N;cEcFIoXNm%k3t$gp%8}AXBu$YtXq@w$GMcmZ86u-S2M~Q%r%My{np9Y
ziofDMQ$s#>>FKO<Jv1Nn)oWTV1^O^L6l+6D#Wbhsb2if5=T<b$Os0IvQjbonut&>k
z6G~n8n(ZO<?L<=wQRV=Bq$N&@4=R}C<=`hSR?n;%Ev7D;)Nl$dHzKyM9IX7u!(S6V
zr8MwY4UP(t1S8Hi=~irx>Ay<yPnOfm?dAQ<SUs$M@#j>9iD8MZB%3qO_g<h2C*UnT
zqaFXAqA6=Yv3?~(NBxu&@V4KKV7orGrk559wMWN`A+VJ#(rlAMtyF0%7||QE3X(tK
zNiZ{o%j{j6uRa_U$y8D{ece_rOap7)y7biKCT5Utyab6$VMum3Ygs%&`BFyNQk~^V
zhV}wVahCxnO-y&57FRP+Lde$GyLt7KSQ#GDZRo{DTN#KNjiq|h9<GB2o&G}CNU`j2
z3gzXVO&6HU505ESu~gUKrAH(nlz|v0{N*gD>gmdgMmg5fak05;G<7ANTcWb@py*vq
zg$`y+ny2rw0(%P0ulsx0wCFK4Mo`*NVY<V%oK=*bTNqC?tEjvDRQhQVJ1%6*DKh`>
z02to0z*lqH$e+f*bfM*NFuR=c=t_XCwV4>Gj)49bept#uvB;c2`v_}gV<3OJJf6{?
z*Poto!tWpMBwBN4jp@(?V;V?O#`6J(`3~1wYZ4VN5_p2>WvnmOx+lXMX`O?e6K|gE
z^quQ#p;xQ42w0|FSoy!4iM~Z2ux;x+dU%PoM!PEK*6JbCBfE)e-b6%JnwBUw5&J_V
z{n!lf-Fgb9Ew;65TmhB<)O2bF5#`#tvgEE&e#==E*9UgRL-nleGI}x%YsT+=F8@o1
zM^a=?jLU_Y??{a6zm$VTuYnG?+UQh!lj|tgL-vP89~B;FSscUTUTvAnY)T%-3D-?C
zh!&s&-hK|}NQYh2VJ*L<LRk7MkB!c(g6g5)Us<HA<3yidy8!j03@?WcbKJOO5v0u2
z!#M4XQaz#HsRv;+8U~m=MwPC8X4Cbh2i`BZF5PNn;$!ZoToZ>TXlTB<UFL@!x-naF
z{x-aQ(MM+1OxSY%IDeozGzHW1lW5gECwbHf`O;;@LY3vzu*OqOl1P4&bIH!*%}b4i
zsxX#g?%t(00&R~tS+as}^(a>ihuYc4WmGhUCl><f6{Ms2{JfKmvc!h0c5IIjDiY~R
zYC3EZ@XRoIM6i;RfxuPD4uNGJ0YafNDGA2-y<{`(8Kh)A0<WvwzvI&lIXU<WF3uT;
zJLQQ!#jMAY>b0>^_;`n0y)+y;Nn&J{F4L|S^gNo9l6<(Rx+&<U6dlZG^#BYAzqJlV
zl_FKo7t4&v0rv3W<I#3G0~-gpyBv&~qay0=ua8a_C3=!$ar4^9(4gDn<20)z)gph!
z$RvC;XQ6_P98?Op32rIz?&S9z6v>{Hqo35%9{{Rjv7FT;eB|K{0@jhoy$*bx*<Apg
zhgcxAb_JB7@S(K<)A$rPw1jez^OHB<TL*4iDPqZ-B^^1EhOSFB;zxHawg<Y(0FA#p
zI@&XYTfj+sneWO1tx)aik?h|3P+vtU#azRk@NG(I(x#0+qakYp9Gm<mKy<-o-%**k
zT>3|a;Vawu9&BKfF;Ot)-~T_WFT2`i4;vudQ6K-=2kF`;W5cg-?+AaI$C^^X23!7-
zEvew*U_8q0^nUGgd^SPxBm}j%HT6d_k*lV=WZXyNTOIH%y2Iw@FUwO?qa10B1=g^|
zN7Pe1<S`-3$e?7p3jWS3lMw6&acgf_N;j;#bJa%mm)f;b(vS9DrLm^az3((AXz#e&
z-RNAXs&X-))i7L3F_WDxe~W8J=fMtE3A)OUIa$S;eOO^niGRoWdFw87R-hBK_)8}d
z=fVzaY|?;&tE0>Smrm9FUV$l86rRlMJjP8!;|u5HBTQF<gySw-%am#+mB^Sw^Ivn6
z9M5_brRux|+HexPy}G2oVyrvXuz1b)L!*g$nS~|_(<V<+AuAXPx+}KbQJ;MMc*?n)
zPo^SlY;Ib=v!iTb)0}3$<W}1tt3PJ4FtLb{6Fl1Q2jUd5w(w?8*mSCd+-x6!ra3u@
z(ph|TL_?@gF)*xxy-@y5MxA334U#G$q#HA)$K_W!zxlyRx7JC9@d%z?H>z?us1QoN
zkTlWXm^H(VqU#JgI4+t8%E#|tGTR`;fYiG2qD!==ci2m4D709814w4NR$<%ju6QwH
z3%TkIE6Y-X%uy(P!C?X7ar*9}zSL72uh$l;u$8l4!G`o!BXUg{UJ3t5_POsO^gJZH
z{I?q~YIF4fEu-xFx@ti!`+8RZwn*QPhfDM+mn0Fsc)03d{*P2e^JRs{KGV-6%1be%
z=6sLv9%yi6;TECz@?xdV``&Ti3HC%CK@h_Yq*};@d)b*Mg0pThl_)jO3VLTVg)rqm
z=|{jIuqj^csGpRU>NhS=56@j0oMD=xnwxkm=mY0b=UrgN0U8+k;mQVnTjb6`faf<P
zKa2pyLHi94qgMWKP0$;l^tzZ_SNQkeLztKcHv+-?AQ#63K)FuW7)OBKx4A9Y?wz>P
zYG_vmJm{Ee&V-&lBZh062q@?gu5w9^D){n8N}w5DXf|?74xQlm^;jr}Eq{vi*C8A2
z3&jiE4_1ijYlhQ)ZnVG+qen_#?%|C^KF)E(?zXMJ4W-9<Q;;DcO8oaOa5*sf!TQYj
zNb24E58|kwA-<w;z|EMvDSP|zPo9lK7aHqj3|B)m`V+(72a3{NzCER%NZ8$<)~lHk
zlbO?P;8~kUW`m8<@Oxqi5-7n+Vl-mn(&00!;Z-N_(q-q=BY$dbVt8Vzc;KFiK#PM;
zWN2$U(kowtcRIw(TRzk{D6!4WTSO|e5Qd(6(1oY}&BC%I@8_g8H4YalNexMstp}i0
zIQ5aX&@wl&xD(F7xH?@Pux=z9kfR_eF`|{(C6@CrY2o@Pd08Wz^L#WeO%3`zFf`yw
zq8$7fv5u_jH+$5@lO1+*S={Q49Fb4U6xxeH25#-7BIZgpd7C|<N?y+SZvN&o^Q7Vq
zc&biF+8}_eQsCC%%q)Pwgdca!h#`cZ^&*;+V>buIhJ-&gs%Rpb))BTpR6^=#U#tZg
zpO`~}FsvWXx2ygP%QeOOY@t9e=?|c}bUfM^jHhnWF<%VE<Cx*PbH<AGXk)UgqTLf}
zA#gGYm@T~9yD%aWbPp%M$)9@_YBEPH)Yl>FX5w!dGq`UMOGB6?KtEFoPUN=`mwX1E
zj{}(4$9#-cO?(dO=N}Q^^PT)SBdguL;C=uFk130ziDr|_N;@9ft$>r%aqXRY%S;5=
zV2kN4shVGs4TsSSPQ0KapbyP7{Na=+B~FTm+Lc`mxq&Y7@fhPxQ$m8Fh+p!ATP2VW
zx}E|P{spudzwr*E87?Wei?rAr<!8mVi>PzvtfwSyVtEgq0#Y^4HCHNE-#ZJstMdw*
zeh{OQl=2)7j4FT&SM*9O?7k@wj$GSAQ2G7@1mDMjWMt{G?;$L&wH4H;HwmYrb#lSx
z-_3qJpLo#K#za&09SKygY4ZcKkf{1b6l^g)jopT`I?m5IySdrBtMs=^1wZv|F69zM
z9S_T68levO-Qohq14s<c*Y$pgu{C%O4C|*%u<pAtku^1=O|r>I#SO5KmH#H;EjqL9
zeb7GglX4}<0WMD~_s2H;evhu@KU;wOBffB?ZhMYrxK4l~Kk<rW#p5A-XKHsv=$ff~
zpojc)*YN@iId*+SRT$2<>y+`zU@6r+gvULL+#Wew<-3I|c%8GYCsj!=E6+H}%gb42
z#x`RUr=%KwK|q+ofwcXv^#@eExr0*2A=WWK>V}B3?e#`z_MCBIHtLh_hkZD_&<BvJ
z3fFtly&V2nwz;9kY*FyBd{q%aZ~66d!|X?-JH}UrD$k?W6AdyLUVMebBN8$#lu?@<
z2+)-ldjUlXgtJ!k<BjZ~b#>$H-@s1Wu|YZ~-UVG4<J(=O>qA{e)D>vcf&lR?pZw`1
zxw`X1uKpdoKI35ZEVSUU1y2tXGLjEpc*jbcE7K$n8HG;SE9dKkJcJx$X~1M*)1}`P
z*!j>CV#UWH3*?MaoIE%9Z%G4+^Z6pxjMgtSC?g&BMFA<d{H#SYk3@4gIr~8Bt?t^t
zxzn3cnbRJ2q72q?aRfj|)@-Ss+~TOUYBouGg_0?}biUA}VbfW3<K@YdLUn_mIuPSf
z_Sx+{P8Fj>7qaq{4mX*aUo~hKO6oC>;ZC*{y&%%?QWhy{3AZ`IpRhN8g3$&=M9oc`
z&mT0eIU5-895OE0^h>QTwl&H^UT2hiNh>Xw(BzVUU8afz7E9Nj6|#UQQVQj}kQB>}
z3JO9#K5IYxnpYl79?LSF#QjgKZJa3CVF-myq>N&-m%>>miSPuQ&oHB^vH8vNL~${$
zuF^w<Y&p&jP3>06rbcE6{+|BYflf!xfWMopl~nmMK7o$Q(ey$lz+PDz>aQN!?Uxy!
zH}rOF_ddLvHZjc)UCG1J9ZhC3(VfVc5;#lqh=Qm~SX|WbB)*8TBV!WcnT~hXVNP7s
zy|d?TRr<Lv7pZ|ajnDEPw2TdrP8cyG?!!8eULiqAGNeCq@v1JIGZ4N@AIf9wGG=W~
zJ><R-+SRWut9B!L$A$1EE?@zo7+NqtxDu7i{Z90lVLYf3Mnek7!pUDhMyXCA+B;aV
z<6>*7Vrj7c#D0@39EnBV1TpO9rWn0)K8d2mqI&Tj>x&$*bVgc`4+1}20tS5fjQJS<
zuVVX(IoH?uP+|IO$e~9I(;r=&BFC`%oWpT<2^oDT6{6`7v-jclSN0@sd5Lk+!WEFK
zwhz~1cDOmy)Ml+Pmi^tsa!|3c_~%<^(b$E-fFCUYr`Uv3iwQWx?1Qv?+ezFOleA@_
zy)X^Er=aF3<oy-RhP#K%9_57ld3i`KqTC-hW%609gfYp+49Jtvvbh&sn-@<`;g3ZW
zQAG+TtHD!JyW-tiZU9=otC&nR4i~6D@P6387%`k062H7@(_@L;s+h9S3}rootN>5h
zc*hy=E_d75eV>iW7`0j}hk-u)kB6}q!w%ezP2?$dYOkdA^rGk0kvar7t1;I54Gh+l
z<Ej<&M(r0PWN&4V<tDUdbF%gT4P3ml$gIQ)Wn)C_f6QXwgXHdZ=maP=?5-+PQl+P>
zC*B82Fa_FWvJ&kvSSju2;O7ay+%lDn*g75Dq?F>gBOlp|WJmVtCjz>dwb`yE|4VY^
z@0FjHNKQjvp++Q2YW1{i>d}pLz8)1D)JTv|Y~WN2L`9#_tFkRW=b(hya54*;w8%CZ
zVq4Ej>eT3ZT$L;LTR16gTQ{@gF=d8%Pt<FO==@BBn7dy@Z;j;{MV1VkjK=D$r5m5X
zud-(Cu`-6TiSv8dtsL>>5<-wjWcl43?u1N16^zZnC!N!5BFq7zb!(LGWvl{}XXo>A
zp8@$wy;5@=V5B1-J-Bw)&-N$=*A#gGql7~>4F01rQ1;7?ofgTC#E9&;{_Lj)>N|^A
zA&~wR+UP0!w73HdLv0n$t&&yVPS0`yHJc&&_0F2o&)G$j7U&B5%79UzgO*`pMlv5w
zbnB-`g+2hvxxMjPR}~u&bXTZwem53DFA+60^X@LcpqR0)L~+H(#w)zSIzh+o7xfeD
zs;g8bK~F7yvrAs1gosTDxP8k)on)Xfw@mirKl6k9h2-%GS^2V8ijqX0<>NV5lv^V;
z=wttI+=iN)Dn}MS0MgI!*~z+%_LB*w+gmCs1z8*-uFhb^cvN}Kn<%?Tu7!p8&`|4H
z(dP8SP>}~U!KTI?46Aj%3JL20(M{~%_C_GdzdS}FnImslkuRG$IebFmj~m2Z*ukaE
zXM}f<61i!GayCaZ+9o_&2REPF`u2ozlO3qJhWh=OdUqdmrx(IYqI`VXcl3{cQkQlP
zeh$D{6Q?(w<B_HFG>+3J{eQn6T*(-V-vAeD0<_G^3J~1RcQ1TD6n2M`JLvIx7^~gz
zSY2_WW_X5?_-``H*=ve<CcN#LrbQUazJU0#Y>cIb2Y8V|Bw6{+w0^Zmr=+o1&-_cB
zCCcIC0`U6e*$kWO(JZ%rJRvd}oPc(Wl@>GWhA|<Og!LHH2c&SU50kvNBO4;!+_#d?
zf{ycJcoO{tXcsF8mnh2|NS7#$x@7HQOK;-(J_H-Pw#b)&T75Xz53G@`9LvLM-<B+Y
z?)RrYIj${$Tfgx#B_S0`y!7!2WcnIv``85kCg%a}uoeDuLK^$Eo##ZfKa5^SlMyt&
ztmQMP4Y!+QA?Aqk&K{pULB{jv_E)W6c(I}-ElZWKlVG}HZ;n>TR_J_l(P}1=Y1>XV
zJc%po?j*!|3i><m?dLZ&itj>VyAEp*^;^ToYVWM;V>(fh3g1%y{=n{9-_|H|SLEFe
zbFBKHDfGQGM_`;{IX=AH$i;y(MaCd3+nMAe)B5QgdV<pdvBNS&^m>vcqJCKk@yBxr
zj7VXvM-ddh>(Lj%H!T^VH5!717P(~uk0dKwhW6~@1kss3+m2Gm9s2%5if0Mrbc(B>
zcx!9N#qzl2{p%~ab~sY3o*0E^iJ8xtbwT6vAD*jr`Y?%x-h2(fGaf}SYL;=y_Rg(y
zKA<kxhkYaXPrram>&`u2pURJNq!Uz?MdE^R>m}UQfpn}n@PAbV?Q6<RAy5elq>r|g
zi=(`AQh5DaO21b7V40Td!O0i^&usuM`&r5}sg{&b+Y{KKz*(4KmY;1mrA9b7g8Bcl
zpJx+`6j-*HZI#`w>wgU)-4cp2;)nHGj15oHh!CGqBg93P+wue|Kxj!2FHAHiThMl^
z&j&8>^eZYsX{jOq`3*yMNpLs?sf=+wCOe|?Se9c%Wc))wxs~;ZI{~;)5Ax?{L^F-r
zcgkO-k}3O^7FAP#$uD+f6_va!BqoIxPkyL}0oDgER5%=E%m<)iBT_$ae|wAwgXJB(
zD54KJaAAkcr>n`g((pXrP~?~pgY|Fw1lw;=(O+Cm<`kLLG2T`tX_g6E2s16lffPO(
z7KXNZi_c>VJsZl)I`5zX@!V-*<BxE~^@8N_@Rv5v^Q#L5P-Nu=wIuj@l4gbgLZ8gP
zv^7~OH2wnwqSqClFz{9fo&Xfx`7{b)1?*fP3Rh<@CmEyG_qzHwkyG9m9hPUEDMa~U
z^J?H9mKHesJLG~LJ^9ezwW)s;9Fm8!Cf-FuYYdQ(3@(;h?)nseGqF+|HPJ|ZR6ZTE
z`OF#M8<g6qjwo_YNWjKei8~2+I`?n#w!Tq9^*}wYF3K*{)Uu3oP-@>k@kUt_6cjgb
zN`n(iOcbPn>O=-*B=bS@(9R`>X4{EO`n_09I6!7Kc1f!0h^XRYt!_gvGrVMpq&C-|
zMzQ?xi7S|JC^S)I`Lq*Gog>iL3Kn_9Jtt+t;aPMc1h~nB(`#W^k!yzXK#<Z^l-}bP
zpk%9#lDtbI4#wUB2!K1HZ2D@L+WQo?-Q*hXvFT$0%bw#FH8oFDTl%a9ja@hfNn+PU
zo-#GDo;043nV==Q`u|}|4z4&18gUFv$`P@K<R)sCpxR|n*Obw_TAY)!6j}=|dVM#{
z>cF_xboVK1b|@3CFiW5@4OxImSls$7l$Nuod~0-S3p6A7h`?LMe=bwe%5fVCRLKq6
z{LlsD+45e9A=QBin4lzgE$()K;eI}VF{ApXFwr!)&=QXYHXp}vz}S`vKpLq(T9l;a
zaj8_8#Nsi=!5uNQx-cQBZv`-B0*EN&)Ixw`X_UnSA(a@CQaE3N61U-83z~Vm1x@^b
z6E+J#jA#ap$Ps0|ufv9vk;|;bL9acI2s+0;JI2_boe35%RUUvDBE*;RH?spni)(R>
zWT7mgn*jDwGmEDq=2Kx}6AjfTPm?kwN8*PWTf)D~Mad%aC0&}OFK`yu3J)qSj^PGq
z?=vYcwU9-<TgLX<EwA^_o_|mjGrdI@GVwq#MfEPO&!z|UW~?c9E^)jzN*c<38Wb~q
zH-@bnvD}w#eA<I_VJH)DG#KImE7r{5CoU($^^s_e(t|n97og5>(a{a>26LNJz5`*`
zJFb3G<bMJ|p6JqP&&V*W$n@mAJ6g?vSs2O8(_Zxia(TwpNqFA6e#L>xc6I-ypD^5Z
z)wH5s${Sjs2{{eH2cI6w=K!Uf`dryoNFVOp*kbfVW2Jr+_mTR=2hr!d5yvKY*eD+C
zZxiU2vbe+IkcfSEu|+b2RR<H%6?gS-KBN^-DLl{7Og_pqrE^s<sk}Oz7wO6DZ_hRz
zNBH7nogIC97U~5Cl8`1cp7oUlJJ-bDM@jOhj~*H{*y=Iikn2-^kVPK=C#2KLb@c~J
zz-nO80969l<%n@|3)>hjrdL?JGZGTga{HKybK?D{w*?X74{RPi1nhAVPi4K5Wrr>d
zy`iaz`I=hiL=Hxk+b3LXZ3JwVMX2aq(j}lZctlCWZF%J2I*QCRr7pnJP*B`O4KxwI
zh9rrTILRYs(<FQ=N!5$t6VsI3I`9vssmmiiOH#3@K(5LAnh`nijR4K<I;J@BsvPqz
zcdqg0&&z{EB@4y-UuyD)e+gE;CH&W~?^9R(YPCaxDtL(+31GXwE!i?rR4i>4<ES`q
zNH_|GC``641kAMW%ML`)evgO15hX28mRE>Eu-1@wwtI%t?>Hh@7esnx<yu*jwY2s*
ztxEP>B<57-YA!Q>r|J!~`_{A>rIWXIX3vW$g4v~_1KGbL32tF={W2YFAtO`!JCdZE
zpsc?mDVY7c@jH_GBWRW^tiV%#MckK17Ozt)e9wLEd+xG#jbNo-9g^1T!q!`+pYF#S
zGL!$Ug1TdvnQr>U+3)44PHIYVo(FErMpfv%vmT<<?)#T5SwdaZgvC4$#u$9G5bI$+
zghe+%ebxYDna!l%?5t`#(==O*mSrIiJZldC%2d4UG=ZxasjfdrbDPhR)2MALC)i}j
z_(RdF11IM{ZgG;WLG-3^ipn(p=9WPkTkg_tZpmrH$@!04f>kFJ=AfiyQJ0j_nQX~u
zIKCP2`*5H1L=_zQ;S#QlHMk7V=)hN&Az10Kyk?BdiYtVQ0jACWgqgIm?jXNM!?0Zt
zqu!a<kW@Bdbr1vjFD>5k-#c+XxB^hfHRoN0g%5<QZ{j&VQL8#fgbsvk-%XpA6}>I`
zbXY%cY*^mO!gnNY;&tB6RIZWPd?eexLCeol<J;djmiIvb9(`B<MrIyjLOiK=F{Qzh
zq~L!Pll69+7~ii5dC#({ZAxTsM1-AGfo>5n4I(YM?l#??ARq-Jew$mD`=?syk8nK+
zT#}@~lqy;kWQY-@ALOY=*3nYoCp%6JODe}NwC`c5eGg0CylLwQA^T5~a;nHii8V;o
z!9q86y^3p_0bH|*4b3TVWoH6ckLG)w*3v`O;@E}^@1(k*w}FnSNP8?wM)`KeNa`wk
z%Z2HPLKMI*EMQ>L1R<O3r}8|cm%F%*&!YDZRl-XmVX6)&(ZP+hKIgw@ss(R*IrgCo
zT3#Mpe5X9?`u;8l6uO2RffizogotTD1<1~2@E~=CgYQPf?EaL{-!&agOvL*IVE`k|
zX&BIU(L>Pr-ND!P*Sq1ph@x;2$SYDY4b?u^ptNmeQvw8c9OxO~>r!7hM<|{9uOO9~
z4^#x@Hd45%og87C5Q+@F6Y(pX&#G5dfXHpxRqM@P2#NIDInF_3D{&X;{<d}@^uMAW
z1ZWHn`oOCRD|C}pFS;+4ekwC$m=bVR&G3fnGPQz)ImX+@L7vGt6CqM`0}m^XJ7Ql}
zbRIWJJOxkwZ9?Ey7!|UN3i}ogrD6dzmhka^LK78&vw^=*WrZqEjB2O_2G^BS%$N-X
zQv4rAXcJ2rTS{L1_2Q5h$kFjI({9Oce9ppa90?R3Mne|Kii|&}`?{W<K^PFQ#|Fg2
zG(P^-OSS%)tYi_fgBc{o`X{M?09jA&6?Uatj7HArl*FOc6tDV=1Xy5e3({$SU0le1
z{hvG7d{~?t*9UdPc4TVeeJdzg1m{B?QT-76Y+A_hay}AKmq~6D*XeM2N?#TtotRf`
z6MKtDjG83>hpRlK(#DJW$knjZ3+*ZA1LwwY0p9cO)JeD=&BHmR^z>sG#laJD`tZ2f
zS%ArSh->v^=;%>KBaWN0)``c6qg2c$mM>D9mREsv%33BiugA66uUH-)33v@8k#?K#
z+_o#2BgU+Lv_UegXPzK>stcj9>Tzk*)u{<vK^3{Xc{&zO*~bvkY?8*}1xQs5OnZYr
zDqV9PZk!@Px(y_|&%JfcZp1Jv7Z`MQHC5XUuz$QenJy^@X9QY4PP2`VPkz6-u4bZX
zQP1Z)#>)4axHg{9>*$d^(QEia(eYR<3c3#0yl${*Xj}fWtn{RMv7|0Gke!t;wJhbe
zEa7f&R?qvDF)Tc^Z>XrMNs#jzqN?ZDgfim>hBh@oHQZ=5N|zThe9u&X2-WfI8<?4E
zcX7ZE6s!tO3$+V9Ye$lL>Qo$(XFwWQ-?c7aIo)LhguBs2A#8Sy;@dUwmIOa+z?~kB
zsnj&t-6${T)V*8W#W~O&d$c8NZ%RCGP9J-C9KK&--gdRY^!dEJU)JPo>txR9PCa+g
z`u{7%uxHwzt$eOYmoDkK?y1^qGXTszg6&pEZF@U&uKU!seuD(Ut!HKI)!&yN{H)O#
zID0;DR2ko0L%s88189YPp?mrj9l1brC4W1g;m^qk+unWF?UyMXwj{dV&WTvFSw<^*
z&PIE~;A7Rt&+r6WwK9vo*o6vvEu%U$ydBEUa-V27{{8QaMepsb_sz@j7c@W)6bu9W
z|6P9mUBUA|S4rT1=KoQQ{(pAzf7Sr~e_eoplm!0%u5ACmDuMuVkWl|Yz`pO0Z|f)c
H-`oEJDCR>I

literal 0
HcmV?d00001

diff --git a/Solutions/Flare/Package/createUiDefinition.json b/Solutions/Flare/Package/createUiDefinition.json
index ff51c8fad27..c44a76925db 100644
--- a/Solutions/Flare/Package/createUiDefinition.json
+++ b/Solutions/Flare/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Flare.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Flare/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Flare Systems [Firework](https://flare.io/platform/) solution allows you to receive data and intelligence from Firework on Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs. \n\n a .[Azure Monitor HTTP Data Collector API ](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 8, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Flare.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Flare/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Flare Systems [Firework](https://flare.io/platform/) solution allows you to receive data and intelligence from Firework on Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs. \n\n a .[Azure Monitor HTTP Data Collector API ](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -146,13 +146,13 @@
           {
             "name": "analytic1",
             "type": "Microsoft.Common.Section",
-            "label": "Flare Cloud bucket result",
+            "label": "Flare Chat Results",
             "elements": [
               {
                 "name": "analytic1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Results found on an publicly available cloud bucket"
+                  "text": "The Chat category includes conversations and posts from real-time messaging environments used by threat actors and fraud communities."
                 }
               }
             ]
@@ -160,13 +160,13 @@
           {
             "name": "analytic2",
             "type": "Microsoft.Common.Section",
-            "label": "Flare Leaked Credentials",
+            "label": "Flare Cloud Bucket Results",
             "elements": [
               {
                 "name": "analytic2-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Searches for Flare Leaked Credentials"
+                  "text": "Results found on an publicly available cloud bucket"
                 }
               }
             ]
@@ -174,13 +174,13 @@
           {
             "name": "analytic3",
             "type": "Microsoft.Common.Section",
-            "label": "Flare Google Dork result found",
+            "label": "Flare Leaked Credentials Results",
             "elements": [
               {
                 "name": "analytic3-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Results using a dork on google was found"
+                  "text": "Leaked credentials results"
                 }
               }
             ]
@@ -188,13 +188,13 @@
           {
             "name": "analytic4",
             "type": "Microsoft.Common.Section",
-            "label": "Flare Host result",
+            "label": "Flare Google Dork Results",
             "elements": [
               {
                 "name": "analytic4-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Results found relating to IP, domain or host"
+                  "text": "Results using a Dork on Google was found"
                 }
               }
             ]
@@ -202,13 +202,13 @@
           {
             "name": "analytic5",
             "type": "Microsoft.Common.Section",
-            "label": "Flare Infected Device",
+            "label": "Flare Host Results",
             "elements": [
               {
                 "name": "analytic5-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Infected Device found on darkweb or Telegram"
+                  "text": "Results found relating to IP, domain or host"
                 }
               }
             ]
@@ -216,13 +216,13 @@
           {
             "name": "analytic6",
             "type": "Microsoft.Common.Section",
-            "label": "Flare Paste result",
+            "label": "Flare Infected Device Results",
             "elements": [
               {
                 "name": "analytic6-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Result found on code Snippet (paste) sharing platform"
+                  "text": "Infected Device Results on Darkweb or Telegram"
                 }
               }
             ]
@@ -230,13 +230,13 @@
           {
             "name": "analytic7",
             "type": "Microsoft.Common.Section",
-            "label": "Flare Source Code found",
+            "label": "Flare Lookalike Domain Results",
             "elements": [
               {
                 "name": "analytic7-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Result found on Code Sharing platform"
+                  "text": "Look-alike domains are a primary vector for phishing and brand impersonation. Flare provides automated monitoring to detect these domains when they are registered or issued an SSL certificate."
                 }
               }
             ]
@@ -244,13 +244,41 @@
           {
             "name": "analytic8",
             "type": "Microsoft.Common.Section",
-            "label": "Flare SSL Certificate result",
+            "label": "Flare Marketplace Results",
             "elements": [
               {
                 "name": "analytic8-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "SSL Certificate registration found"
+                  "text": "The Marketplaces category includes underground markets and shops where illicit goods and services are bought and sold."
+                }
+              }
+            ]
+          },
+          {
+            "name": "analytic9",
+            "type": "Microsoft.Common.Section",
+            "label": "Flare Paste Results",
+            "elements": [
+              {
+                "name": "analytic9-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "Result found on code Snippet (paste) sharing platform"
+                }
+              }
+            ]
+          },
+          {
+            "name": "analytic10",
+            "type": "Microsoft.Common.Section",
+            "label": "Flare Source Code Results",
+            "elements": [
+              {
+                "name": "analytic10-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "Results found on code sharing platforms"
                 }
               }
             ]
diff --git a/Solutions/Flare/Package/mainTemplate.json b/Solutions/Flare/Package/mainTemplate.json
index b633ac7ca16..61665a6d653 100644
--- a/Solutions/Flare/Package/mainTemplate.json
+++ b/Solutions/Flare/Package/mainTemplate.json
@@ -54,12 +54,12 @@
   "variables": {
     "email": "support@flare.io",
     "_email": "[variables('email')]",
+    "_solutionName": "Flare",
+    "_solutionVersion": "3.1.0",
     "solutionId": "flaresystmesinc1617114736428.flare-systems-firework-sentinel",
     "_solutionId": "[variables('solutionId')]",
     "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
-    "_solutionName": "Flare",
-    "_solutionVersion": "2.1.1",
-    "dataConnectorCCPVersion": "1.0.0",
+    "dataConnectorCCPVersion": "3.1.0",
     "_dataConnectorContentIdConnectorDefinition1": "FireworkPush",
     "dataConnectorTemplateNameConnectorDefinition1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition1')))]",
     "_dataConnectorContentIdConnections1": "FireworkPushConnections",
@@ -68,165 +68,285 @@
     "workbookVersion1": "1.0.0",
     "workbookContentId1": "FireworkWorkbook",
     "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
-    "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]",
+    "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
     "_workbookContentId1": "[variables('workbookContentId1')]",
+    "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
     "credential-warning": "credential-warning",
     "_credential-warning": "[variables('credential-warning')]",
     "playbookVersion1": "1.0",
     "playbookContentId1": "credential-warning",
     "_playbookContentId1": "[variables('playbookContentId1')]",
     "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]",
-    "playbookTemplateSpecName1": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1')))]",
+    "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]",
+    "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]",
     "analyticRuleObject1": {
-      "analyticRuleVersion1": "2.0.0",
-      "_analyticRulecontentId1": "9cb7c337-f172-4af6-b0e8-b6b7552d762d",
-      "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f172-4af6-b0e8-b6b7552d762d')]",
-      "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f172-4af6-b0e8-b6b7552d762d'))]"
+      "analyticRuleVersion1": "1.0.0",
+      "_analyticRulecontentId1": "76210211-3ade-47b6-b7f2-c871cd05ec43",
+      "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '76210211-3ade-47b6-b7f2-c871cd05ec43')]",
+      "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('76210211-3ade-47b6-b7f2-c871cd05ec43')))]",
+      "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','76210211-3ade-47b6-b7f2-c871cd05ec43','-', '1.0.0')))]"
     },
     "analyticRuleObject2": {
-      "analyticRuleVersion2": "2.0.0",
-      "_analyticRulecontentId2": "9cb7c337-f170-4af6-b0e8-b6b7552d762d",
-      "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f170-4af6-b0e8-b6b7552d762d')]",
-      "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f170-4af6-b0e8-b6b7552d762d'))]"
+      "analyticRuleVersion2": "3.0.0",
+      "_analyticRulecontentId2": "9cb7c337-f172-4af6-b0e8-b6b7552d762d",
+      "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f172-4af6-b0e8-b6b7552d762d')]",
+      "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f172-4af6-b0e8-b6b7552d762d')))]",
+      "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9cb7c337-f172-4af6-b0e8-b6b7552d762d','-', '3.0.0')))]"
     },
     "analyticRuleObject3": {
-      "analyticRuleVersion3": "2.0.0",
-      "_analyticRulecontentId3": "9cb7c337-f174-4af6-b0e8-b6b7552d762d",
-      "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f174-4af6-b0e8-b6b7552d762d')]",
-      "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f174-4af6-b0e8-b6b7552d762d'))]"
+      "analyticRuleVersion3": "3.0.0",
+      "_analyticRulecontentId3": "9cb7c337-f170-4af6-b0e8-b6b7552d762d",
+      "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f170-4af6-b0e8-b6b7552d762d')]",
+      "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f170-4af6-b0e8-b6b7552d762d')))]",
+      "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9cb7c337-f170-4af6-b0e8-b6b7552d762d','-', '3.0.0')))]"
     },
     "analyticRuleObject4": {
-      "analyticRuleVersion4": "2.0.0",
-      "_analyticRulecontentId4": "9cb7c337-f175-4af6-b0e8-b6b7552d762d",
-      "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f175-4af6-b0e8-b6b7552d762d')]",
-      "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f175-4af6-b0e8-b6b7552d762d'))]"
+      "analyticRuleVersion4": "3.0.0",
+      "_analyticRulecontentId4": "9cb7c337-f174-4af6-b0e8-b6b7552d762d",
+      "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f174-4af6-b0e8-b6b7552d762d')]",
+      "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f174-4af6-b0e8-b6b7552d762d')))]",
+      "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9cb7c337-f174-4af6-b0e8-b6b7552d762d','-', '3.0.0')))]"
     },
     "analyticRuleObject5": {
-      "analyticRuleVersion5": "2.0.0",
-      "_analyticRulecontentId5": "9cb7c337-f176-4af6-b0e8-b6b7552d762d",
-      "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f176-4af6-b0e8-b6b7552d762d')]",
-      "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f176-4af6-b0e8-b6b7552d762d'))]"
+      "analyticRuleVersion5": "3.0.0",
+      "_analyticRulecontentId5": "9cb7c337-f175-4af6-b0e8-b6b7552d762d",
+      "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f175-4af6-b0e8-b6b7552d762d')]",
+      "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f175-4af6-b0e8-b6b7552d762d')))]",
+      "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9cb7c337-f175-4af6-b0e8-b6b7552d762d','-', '3.0.0')))]"
     },
     "analyticRuleObject6": {
-      "analyticRuleVersion6": "2.0.0",
-      "_analyticRulecontentId6": "9cb7c337-f177-4af6-b0e8-b6b7552d762d",
-      "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f177-4af6-b0e8-b6b7552d762d')]",
-      "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f177-4af6-b0e8-b6b7552d762d'))]"
+      "analyticRuleVersion6": "3.0.0",
+      "_analyticRulecontentId6": "9cb7c337-f176-4af6-b0e8-b6b7552d762d",
+      "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f176-4af6-b0e8-b6b7552d762d')]",
+      "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f176-4af6-b0e8-b6b7552d762d')))]",
+      "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9cb7c337-f176-4af6-b0e8-b6b7552d762d','-', '3.0.0')))]"
     },
     "analyticRuleObject7": {
-      "analyticRuleVersion7": "2.0.0",
-      "_analyticRulecontentId7": "9cb7c337-f178-4af6-b0e8-b6b7552d762d",
-      "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f178-4af6-b0e8-b6b7552d762d')]",
-      "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f178-4af6-b0e8-b6b7552d762d'))]"
+      "analyticRuleVersion7": "1.0.0",
+      "_analyticRulecontentId7": "8e5ae0d6-7f2d-475e-ada3-ed33441deeba",
+      "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '8e5ae0d6-7f2d-475e-ada3-ed33441deeba')]",
+      "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('8e5ae0d6-7f2d-475e-ada3-ed33441deeba')))]",
+      "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8e5ae0d6-7f2d-475e-ada3-ed33441deeba','-', '1.0.0')))]"
     },
     "analyticRuleObject8": {
-      "analyticRuleVersion8": "2.0.0",
-      "_analyticRulecontentId8": "9cb7c337-f179-4af6-b0e8-b6b7552d762d",
-      "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f179-4af6-b0e8-b6b7552d762d')]",
-      "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f179-4af6-b0e8-b6b7552d762d'))]"
-    }
-  },
-  "resources": [
-    {
-      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]",
-      "apiVersion": "2022-01-01-preview",
-      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-      "properties": {
-        "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]",
-        "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
-        "kind": "DataConnector",
-        "version": "[variables('dataConnectorCCPVersion')]",
-        "source": {
-          "sourceId": "[variables('_solutionId')]",
-          "name": "[variables('_solutionName')]",
-          "kind": "Solution"
-        },
-        "author": {
-          "name": "Flare",
-          "email": "[variables('_email')]"
-        },
-        "support": {
-          "name": "Flare",
-          "email": "support@flare.io",
-          "tier": "Partner",
-          "link": "https://flare.io/contact/"
-        },
-        "dependencies": {
-          "criteria": [
-            {
-              "version": "[variables('dataConnectorCCPVersion')]",
-              "contentId": "[variables('_dataConnectorContentIdConnections1')]",
-              "kind": "ResourcesDataConnector"
-            }
-          ]
-        }
-      }
+      "analyticRuleVersion8": "1.0.0",
+      "_analyticRulecontentId8": "9265ae4d-6bb0-4c18-961d-f7aae67d1546",
+      "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9265ae4d-6bb0-4c18-961d-f7aae67d1546')]",
+      "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9265ae4d-6bb0-4c18-961d-f7aae67d1546')))]",
+      "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9265ae4d-6bb0-4c18-961d-f7aae67d1546','-', '1.0.0')))]"
     },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2022-02-01",
-      "name": "[variables('workbookTemplateSpecName1')]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "Workbook"
-      },
-      "properties": {
-        "description": "Flare Workbook with template",
-        "displayName": "Flare workbook template"
-      }
+    "analyticRuleObject9": {
+      "analyticRuleVersion9": "3.0.0",
+      "_analyticRulecontentId9": "9cb7c337-f177-4af6-b0e8-b6b7552d762d",
+      "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f177-4af6-b0e8-b6b7552d762d')]",
+      "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f177-4af6-b0e8-b6b7552d762d')))]",
+      "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9cb7c337-f177-4af6-b0e8-b6b7552d762d','-', '3.0.0')))]"
+    },
+    "analyticRuleObject10": {
+      "analyticRuleVersion10": "3.0.0",
+      "_analyticRulecontentId10": "9cb7c337-f178-4af6-b0e8-b6b7552d762d",
+      "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f178-4af6-b0e8-b6b7552d762d')]",
+      "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f178-4af6-b0e8-b6b7552d762d')))]",
+      "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9cb7c337-f178-4af6-b0e8-b6b7552d762d','-', '3.0.0')))]"
     },
+    "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
+  },
+  "resources": [
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2022-02-01",
-      "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition1'), variables('dataConnectorCCPVersion'))]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "Workbook"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "FlareSystemsFireworkOverview Workbook with template version 2.1.1",
+        "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
+        "displayName": "Flare Push Connector",
+        "contentKind": "DataConnector",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('workbookVersion1')]",
+          "contentVersion": "[variables('dataConnectorCCPVersion')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.Insights/workbooks",
-              "name": "[variables('workbookContentId1')]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]",
+              "apiVersion": "2022-09-01-preview",
+              "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
               "location": "[parameters('workspace-location')]",
-              "kind": "shared",
-              "apiVersion": "2021-08-01",
-              "metadata": {
-                "description": "Select the time range for this Overview."
-              },
+              "kind": "Customizable",
               "properties": {
-                "displayName": "[parameters('workbook1-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Firework Logs by risk score\\n---\\n\\nThese are all your logs that came from Firework in the past 30 days, where each line represents a specific risk score\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"FireworkV2_CL\\n| make-series num=count() on timestamp_t from ago(30d) to now() step 8h by strcat(\\\"Risk Score \\\", tostring(toint(risk_score_d)))\\n| render timechart \",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Risk Score 2\",\"color\":\"turquoise\"},{\"seriesName\":\"Risk Score 3\",\"color\":\"yellow\"},{\"seriesName\":\"Risk Score 4\",\"color\":\"orange\"},{\"seriesName\":\"Risk Score 1\",\"color\":\"lightBlue\"}]}},\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"# Sources of all documents collected\\n\\nData per day for the last 30 days\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"FireworkV2_CL\\n| make-series num=count() on timestamp_t from ago(30d) to now() step 1d by source_name_s\\n| where isnotempty(source_name_s)\\n| render barchart \",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"FireworkV2_CL\\n| where timestamp_t >= ago(30d)\\n| summarize num=count() by source_name_s\\n| where notempty(source_name_s)\\n| render piechart \",\"size\":2,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 6\"},{\"type\":1,\"content\":{\"json\":\"# Total Leaked Credentials received\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"FireworkV2_CL\\n| where notempty(column_ifexists('data_new_leaks_s', ''))\\n| make-series Total_Leaked_Credentials=count() on timestamp_t from ago(30d) to now() step 8h \\n| render timechart\",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Total_Leaked_Credentials\",\"color\":\"redBright\"}]}},\"name\":\"query - 4\"}],\"fromTemplateId\":\"sentinel-FireworkWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
-                "version": "1.0",
-                "sourceId": "[variables('workspaceResourceId')]",
-                "category": "sentinel"
+                "connectorUiConfig": {
+                  "availability": {
+                    "status": 1
+                  },
+                  "connectivityCriteria": [
+                    {
+                      "type": "IsConnectedQuery",
+                      "value": [
+                        "FireworkV2_CL\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(7d)"
+                      ]
+                    }
+                  ],
+                  "dataTypes": [
+                    {
+                      "name": "FireworkV2_CL",
+                      "lastDataReceivedQuery": "FireworkV2_CL\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+                    }
+                  ],
+                  "descriptionMarkdown": "The [Flare](https://flare.io) connector provides the capability to ingest threat intelligence and exposure data from Flare into Microsoft Sentinel. Flare identifies your company's digital assets made publicly available due to human error or malicious attacks, including leaked credentials, exposed cloud buckets, darkweb mentions, and more.",
+                  "graphQueriesTableName": "FireworkV2_CL",
+                  "graphQueries": [
+                    {
+                      "metricName": "Total Flare Events",
+                      "legend": "FireworkV2_CL",
+                      "baseQuery": "FireworkV2_CL"
+                    }
+                  ],
+                  "sampleQueries": [
+                    {
+                      "description": "Flare - All Events",
+                      "query": "{{graphQueriesTableName}} \n | sort by TimeGenerated desc"
+                    },
+                    {
+                      "description": "Flare - High Risk Events (Score >= 4)",
+                      "query": "{{graphQueriesTableName}} \n | where RiskScore >= 4\n | project TimeGenerated, EventSeverity, EventType, ['title'], source_name, RiskScore, Url\n | sort by TimeGenerated desc"
+                    },
+                    {
+                      "description": "Flare - Credential Leaks",
+                      "query": "{{graphQueriesTableName}} \n | where EventType == \"CredentialLeak\"\n | project TimeGenerated, EventSeverity, ['title'], source_name, keyword, RiskScore\n | sort by TimeGenerated desc"
+                    },
+                    {
+                      "description": "Flare - Events by Severity",
+                      "query": "{{graphQueriesTableName}} \n | summarize Count = count() by EventSeverity\n | order by Count desc"
+                    },
+                    {
+                      "description": "Flare - Events by Type",
+                      "query": "{{graphQueriesTableName}} \n | summarize Count = count() by EventType\n | order by Count desc"
+                    }
+                  ],
+                  "id": "FireworkPush",
+                  "instructionSteps": [
+                    {
+                      "title": "1. Create ARM Resources and Provide the Required Permissions",
+                      "description": "This connector enables Flare to send threat exposure data to Microsoft Sentinel. When data forwarding is enabled in Flare, raw event data is sent securely to the Microsoft Sentinel Ingestion API.",
+                      "instructions": [
+                        {
+                          "type": "Markdown",
+                          "parameters": {
+                            "content": "#### Automated Configuration and Secure Data Ingestion with Entra Application \nClicking on \"Deploy\" will create Log Analytics tables and a Data Collection Rule (DCR). It will then create an Entra application, link the DCR to it, and set the entered secret in the application. This setup enables data to be sent securely to the DCR using an Entra token."
+                          }
+                        },
+                        {
+                          "parameters": {
+                            "label": "Deploy Flare connector resources",
+                            "applicationDisplayName": "Flare Connector Application"
+                          },
+                          "type": "DeployPushConnectorButton"
+                        }
+                      ]
+                    },
+                    {
+                      "title": "2. Configure Flare to Send Logs to Microsoft Sentinel",
+                      "description": "Use the following parameters to configure Flare to send logs to your workspace.",
+                      "instructions": [
+                        {
+                          "parameters": {
+                            "label": "Entra App Registration Application ID",
+                            "fillWith": [
+                              "ApplicationId"
+                            ],
+                            "placeholder": "Deploy push connector to get the App Registration Application ID"
+                          },
+                          "type": "CopyableLabel"
+                        },
+                        {
+                          "parameters": {
+                            "label": "Tenant ID (Directory ID)",
+                            "fillWith": [
+                              "TenantId"
+                            ]
+                          },
+                          "type": "CopyableLabel"
+                        },
+                        {
+                          "parameters": {
+                            "label": "Entra App Registration Secret",
+                            "fillWith": [
+                              "ApplicationSecret"
+                            ],
+                            "placeholder": "Deploy push connector to get the App Registration Secret"
+                          },
+                          "type": "CopyableLabel"
+                        },
+                        {
+                          "parameters": {
+                            "label": "Log Ingestion URL",
+                            "fillWith": [
+                              "DataCollectionEndpoint",
+                              "DataCollectionRuleId"
+                            ],
+                            "placeholder": "Deploy push connector to get the Data Collection Endpoint URI",
+                            "value": "{0}/dataCollectionRules/{1}/streams/Custom-FireworkEventsStream?api-version=2023-01-01"
+                          },
+                          "type": "CopyableLabel"
+                        }
+                      ]
+                    },
+                    {
+                      "title": "3. Configure Alert Channel in Flare",
+                      "description": "As an organization administrator, authenticate on [Flare](https://app.flare.io) and access the [alerts page](https://app.flare.io/#/alerts?activeTab=alert-channels) to create a new alert channel. Select 'Microsoft Sentinel' and copy the above fields in the form. For more details, refer to the [Flare documentation](https://docs.flare.io).",
+                      "instructions": []
+                    }
+                  ],
+                  "permissions": {
+                    "resourceProvider": [
+                      {
+                        "provider": "Microsoft.OperationalInsights/workspaces",
+                        "permissionsDisplayText": "read and write permissions are required.",
+                        "providerDisplayName": "Workspace",
+                        "scope": "Workspace",
+                        "requiredPermissions": {
+                          "write": true,
+                          "read": true,
+                          "delete": true
+                        }
+                      }
+                    ],
+                    "customs": [
+                      {
+                        "name": "Microsoft Entra",
+                        "description": "Permission to create an app registration in Microsoft Entra ID."
+                      },
+                      {
+                        "name": "Microsoft Azure",
+                        "description": "Permission to assign Monitoring Metrics Publisher role on data collection rule (DCR)."
+                      },
+                      {
+                        "name": "Flare",
+                        "description": "Permission to configure Microsoft Sentinel integration in Flare."
+                      }
+                    ]
+                  },
+                  "publisher": "Flare Systems",
+                  "title": "Flare Push Connector"
+                }
               }
             },
             {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "properties": {
-                "description": "@{workbookKey=FireworkWorkbook; logoFileName=Flare.svg; description=Select the time range for this Overview.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=FlareSystemsFirework; templateRelativePath=FlareSystemsFireworkOverview.json; subtitle=; provider=Flare Systems}.description",
-                "parentId": "[variables('workbookId1')]",
-                "contentId": "[variables('_workbookContentId1')]",
-                "kind": "Workbook",
-                "version": "[variables('workbookVersion1')]",
+                "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]",
+                "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
+                "kind": "DataConnector",
+                "version": "[variables('dataConnectorCCPVersion')]",
                 "source": {
-                  "kind": "Solution",
-                  "name": "Flare",
-                  "sourceId": "[variables('_solutionId')]"
+                  "sourceId": "[variables('_solutionId')]",
+                  "name": "[variables('_solutionName')]",
+                  "kind": "Solution"
                 },
                 "author": {
                   "name": "Flare",
@@ -239,466 +359,683 @@
                   "link": "https://flare.io/contact/"
                 },
                 "dependencies": {
-                  "operator": "AND",
                   "criteria": [
                     {
-                      "contentId": "Firework_CL",
-                      "kind": "DataType"
-                    },
-                    {
-                      "contentId": "FlareSystemsFirework",
-                      "kind": "DataConnector"
+                      "version": "[variables('dataConnectorCCPVersion')]",
+                      "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+                      "kind": "ResourcesDataConnector"
                     }
                   ]
                 }
               }
-            }
-          ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2022-02-01",
-      "name": "[variables('playbookTemplateSpecName1')]",
-      "location": "[parameters('workspace-location')]",
-      "dependsOn": [
-        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
-      ],
-      "properties": {
-        "description": "credential-warning Playbook with template version 2.1.1",
-        "mainTemplate": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('playbookVersion1')]",
-          "parameters": {
-            "PlaybookName": {
-              "defaultValue": "credential-warning",
-              "type": "string"
-            }
-          },
-          "variables": {
-            "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]",
-            "o365ConnectionName": "[[concat('o365-', parameters('PlaybookName'))]",
-            "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
-            "_connection-1": "[[variables('connection-1')]",
-            "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]",
-            "_connection-2": "[[variables('connection-2')]",
-            "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
-            "workspace-name": "[parameters('workspace')]",
-            "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
-          },
-          "resources": [
-            {
-              "type": "Microsoft.Web/connections",
-              "apiVersion": "2016-06-01",
-              "name": "[[variables('AzureSentinelConnectionName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "kind": "V1",
-              "properties": {
-                "displayName": "[[variables('AzureSentinelConnectionName')]",
-                "parameterValueType": "Alternative",
-                "api": {
-                  "id": "[[variables('_connection-1')]"
-                }
-              }
             },
             {
-              "type": "Microsoft.Web/connections",
-              "apiVersion": "2016-06-01",
-              "name": "[[variables('o365ConnectionName')]",
-              "location": "[[variables('workspace-location-inline')]",
+              "name": "FireworkCustomDCR",
+              "apiVersion": "2022-06-01",
+              "type": "Microsoft.Insights/dataCollectionRules",
+              "location": "[parameters('workspace-location')]",
+              "kind": "[variables('blanks')]",
               "properties": {
-                "displayName": "[[parameters('PlaybookName')]",
-                "api": {
-                  "id": "[[variables('_connection-2')]"
-                }
+                "streamDeclarations": {
+                  "Custom-FireworkEventsStream": {
+                    "columns": [
+                      {
+                        "name": "timestamp",
+                        "type": "string"
+                      },
+                      {
+                        "name": "timestamp_formatted",
+                        "type": "string"
+                      },
+                      {
+                        "name": "first_crawled_at",
+                        "type": "string"
+                      },
+                      {
+                        "name": "materialized_at",
+                        "type": "string"
+                      },
+                      {
+                        "name": "url",
+                        "type": "string"
+                      },
+                      {
+                        "name": "event_title",
+                        "type": "string"
+                      },
+                      {
+                        "name": "event_type",
+                        "type": "string"
+                      },
+                      {
+                        "name": "source",
+                        "type": "string"
+                      },
+                      {
+                        "name": "source_name",
+                        "type": "string"
+                      },
+                      {
+                        "name": "id",
+                        "type": "string"
+                      },
+                      {
+                        "name": "keyword",
+                        "type": "string"
+                      },
+                      {
+                        "name": "category_name",
+                        "type": "string"
+                      },
+                      {
+                        "name": "content_preview",
+                        "type": "dynamic"
+                      },
+                      {
+                        "name": "content",
+                        "type": "string"
+                      },
+                      {
+                        "name": "alert_content",
+                        "type": "string"
+                      },
+                      {
+                        "name": "highlights",
+                        "type": "dynamic"
+                      },
+                      {
+                        "name": "risk",
+                        "type": "dynamic"
+                      },
+                      {
+                        "name": "tags",
+                        "type": "dynamic"
+                      },
+                      {
+                        "name": "related",
+                        "type": "dynamic"
+                      },
+                      {
+                        "name": "user_risk_score",
+                        "type": "int"
+                      },
+                      {
+                        "name": "user_notes",
+                        "type": "string"
+                      },
+                      {
+                        "name": "data",
+                        "type": "dynamic"
+                      },
+                      {
+                        "name": "uid",
+                        "type": "string"
+                      },
+                      {
+                        "name": "external_url",
+                        "type": "string"
+                      },
+                      {
+                        "name": "identifiers",
+                        "type": "dynamic"
+                      },
+                      {
+                        "name": "sort",
+                        "type": "string"
+                      },
+                      {
+                        "name": "asset_uuids",
+                        "type": "dynamic"
+                      },
+                      {
+                        "name": "code",
+                        "type": "dynamic"
+                      },
+                      {
+                        "name": "author_id",
+                        "type": "string"
+                      },
+                      {
+                        "name": "project_name",
+                        "type": "string"
+                      },
+                      {
+                        "name": "sha",
+                        "type": "string"
+                      },
+                      {
+                        "name": "actor",
+                        "type": "string"
+                      },
+                      {
+                        "name": "victim_name",
+                        "type": "string"
+                      }
+                    ]
+                  }
+                },
+                "destinations": {
+                  "logAnalytics": [
+                    {
+                      "workspaceResourceId": "[variables('workspaceResourceId')]",
+                      "name": "clv2ws1"
+                    }
+                  ]
+                },
+                "dataFlows": [
+                  {
+                    "streams": [
+                      "Custom-FireworkEventsStream"
+                    ],
+                    "destinations": [
+                      "clv2ws1"
+                    ],
+                    "transformKql": "source\n| extend\n    TimeGenerated = iff(not(isempty(timestamp)), todatetime(timestamp), now()),\n    EventVendor = \"Flare\",\n    EventProduct = \"Firework\",\n    EventSchemaVersion = \"0.1\",\n     EventSeverity = case(\n        toint(risk.score) == 1, \"Informational\",\n        toint(risk.score) == 2, \"Low\",\n        toint(risk.score) == 3, \"Medium\",\n        toint(risk.score) == 4, \"High\",\n        toint(risk.score) == 5, \"Critical\",\n        \"Informational\"\n    ),\n        EventOriginalUid = uid,\n    EventOriginalType = event_type,\n    RiskScore = toint(risk.score),\n     Url = url\n",
+                    "outputStream": "Custom-FireworkV2_CL"
+                  }
+                ],
+                "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]"
               }
             },
             {
-              "type": "Microsoft.Logic/workflows",
-              "apiVersion": "2017-07-01",
-              "name": "[[parameters('PlaybookName')]",
-              "location": "[[variables('workspace-location-inline')]",
-              "tags": {
-                "LogicAppsCategory": "security",
-                "hidden-SentinelTemplateName": "PlaybookName",
-                "hidden-SentinelTemplateVersion": "1.0",
-                "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
-              },
-              "identity": {
-                "type": "SystemAssigned"
-              },
-              "dependsOn": [
-                "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
-                "[[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]"
-              ],
+              "name": "FireworkV2_CL",
+              "apiVersion": "2022-10-01",
+              "type": "Microsoft.OperationalInsights/workspaces/tables",
+              "location": "[parameters('workspace-location')]",
+              "kind": null,
               "properties": {
-                "state": "Disabled",
-                "definition": {
-                  "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
-                  "parameters": {
-                    "$connections": {
-                      "type": "Object"
-                    }
-                  },
-                  "actions": {
-                    "For_each": {
-                      "actions": {
-                        "For_each_2": {
-                          "actions": {
-                            "For_each_3": {
-                              "actions": {
-                                "Send_an_email_(V2)": {
-                                  "inputs": {
-                                    "body": {
-                                      "Body": "<p>Hello,<br>\n<br>\nThis is a message to warn you we believe a password you had been using has &nbsp;been leaked online, as part of a data breach.<br>\n<br>\nIf the following password is one you are still using commonly, we recommend changing it as soon as possible.<br>\n<br>\n@{items('For_each_3')['hash']}<br>\n<br>\nIn addition we want to remind you not to use your corporate email address to register to services outside of work.<br>\n<br>\nCordially,<br>\n<br>\nSecurity Team<br>\n</p>",
-                                      "Subject": "Possible compromised password",
-                                      "To": "blank@flare.systems"
-                                    },
-                                    "host": {
-                                      "connection": {
-                                        "name": "@parameters('$connections')['office365']['connectionId']"
-                                      }
-                                    },
-                                    "method": "post",
-                                    "path": "/v2/Mail"
-                                  },
-                                  "type": "ApiConnection"
-                                }
-                              },
-                              "foreach": "@items('For_each_2')['passwords']",
-                              "type": "Foreach"
-                            }
-                          },
-                          "foreach": "@body('Parse_JSON')",
-                          "runAfter": {
-                            "Parse_JSON": [
-                              "Succeeded"
-                            ]
-                          },
-                          "type": "Foreach"
-                        },
-                        "Parse_JSON": {
-                          "inputs": {
-                            "content": "@items('For_each')",
-                            "schema": {
-                              "items": {
-                                "properties": {
-                                  "name": {
-                                    "type": "string"
-                                  },
-                                  "passwords": {
-                                    "items": {
-                                      "properties": {
-                                        "extra": {
-                                          "type": "object"
-                                        },
-                                        "hash": {
-                                          "type": "string"
-                                        },
-                                        "hash_type": {
-                                          "type": "string"
-                                        },
-                                        "id": {
-                                          "type": "integer"
-                                        },
-                                        "imported_at": {
-                                          "type": "string"
-                                        },
-                                        "source_id": {
-                                          "type": "string"
-                                        },
-                                        "source_params": {
-                                          "properties": {
-                                            "line": {
-                                              "type": "integer"
-                                            }
-                                          },
-                                          "type": "object"
-                                        }
-                                      },
-                                      "required": [
-                                        "id",
-                                        "hash",
-                                        "hash_type",
-                                        "extra",
-                                        "domain",
-                                        "source_id",
-                                        "source_params",
-                                        "imported_at"
-                                      ],
-                                      "type": "object"
-                                    },
-                                    "type": "array"
-                                  }
-                                },
-                                "required": [
-                                  "name",
-                                  "passwords"
-                                ],
-                                "type": "object"
-                              },
-                              "type": "array"
-                            }
-                          },
-                          "type": "ParseJson"
-                        }
-                      },
-                      "foreach": "@variables('leaks')['leaked_credentials']",
-                      "runAfter": {
-                        "Initialize_variable": [
-                          "Succeeded"
-                        ]
-                      },
-                      "type": "Foreach"
+                "plan": "Analytics",
+                "schema": {
+                  "name": "FireworkV2_CL",
+                  "columns": [
+                    {
+                      "name": "TimeGenerated",
+                      "type": "datetime",
+                      "description": "Timestamp when the event was ingested (ASIM)"
                     },
-                    "Initialize_variable": {
-                      "inputs": {
-                        "variables": [
-                          {
-                            "name": "leaks",
-                            "type": "object",
-                            "value": "@json(body('Parse_JSON_2')['Custom Details'])"
-                          }
-                        ]
-                      },
-                      "runAfter": {
-                        "Parse_JSON_2": [
-                          "Succeeded"
-                        ]
-                      },
-                      "type": "InitializeVariable"
+                    {
+                      "name": "EventVendor",
+                      "type": "string",
+                      "description": "Event vendor name - Flare (ASIM)"
                     },
-                    "Parse_JSON_2": {
-                      "inputs": {
-                        "content": "@triggerBody()?['ExtendedProperties']",
-                        "schema": {
-                          "properties": {
-                            "Analytic Rule Ids": {
-                              "type": "string"
-                            },
-                            "Analytic Rule Name": {
-                              "type": "string"
-                            },
-                            "Custom Details": {
-                              "type": "string"
-                            },
-                            "Data Sources": {
-                              "type": "string"
-                            },
-                            "Event Grouping": {
-                              "type": "string"
-                            },
-                            "ProcessedBySentinel": {
-                              "type": "string"
-                            },
-                            "Query": {
-                              "type": "string"
-                            },
-                            "Query End Time UTC": {
-                              "type": "string"
-                            },
-                            "Query Period": {
-                              "type": "string"
-                            },
-                            "Query Start Time UTC": {
-                              "type": "string"
-                            },
-                            "Search Query Results Overall Count": {
-                              "type": "string"
-                            },
-                            "Trigger Operator": {
-                              "type": "string"
-                            },
-                            "Trigger Threshold": {
-                              "type": "string"
-                            }
-                          },
-                          "type": "object"
-                        }
-                      },
-                      "type": "ParseJson"
-                    }
-                  },
-                  "contentVersion": "1.0.0.0",
-                  "triggers": {
-                    "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
-                      "inputs": {
-                        "body": {
-                          "callback_url": "@{listCallbackUrl()}"
-                        },
-                        "host": {
-                          "connection": {
-                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
-                          }
-                        },
-                        "path": "/subscribe"
-                      },
-                      "type": "ApiConnectionWebhook"
+                    {
+                      "name": "EventProduct",
+                      "type": "string",
+                      "description": "Event product name (ASIM)"
+                    },
+                    {
+                      "name": "EventSchemaVersion",
+                      "type": "string",
+                      "description": "Schema version (ASIM)"
+                    },
+                    {
+                      "name": "EventSeverity",
+                      "type": "string",
+                      "description": "Severity level: Informational, Low, Medium, High, Critical (ASIM)"
+                    },
+                    {
+                      "name": "EventOriginalUid",
+                      "type": "string",
+                      "description": "Original unique identifier (ASIM)"
+                    },
+                    {
+                      "name": "EventOriginalType",
+                      "type": "string",
+                      "description": "Original event type (ASIM)"
+                    },
+                    {
+                      "name": "RiskScore",
+                      "type": "int",
+                      "description": "Extracted risk score (1-5)"
+                    },
+                    {
+                      "name": "Url",
+                      "type": "string",
+                      "description": "Source URL (ASIM)"
+                    },
+                    {
+                      "name": "timestamp",
+                      "type": "string",
+                      "description": "Original timestamp from Flare"
+                    },
+                    {
+                      "name": "timestamp_formatted",
+                      "type": "string",
+                      "description": "Formatted timestamp string"
+                    },
+                    {
+                      "name": "first_crawled_at",
+                      "type": "string",
+                      "description": "When the item was first crawled"
+                    },
+                    {
+                      "name": "materialized_at",
+                      "type": "string",
+                      "description": "When the item was materialized"
+                    },
+                    {
+                      "name": "url",
+                      "type": "string",
+                      "description": "URL of the source"
+                    },
+                    {
+                      "name": "event_title",
+                      "type": "string",
+                      "description": "Title of the event"
+                    },
+                    {
+                      "name": "event_type",
+                      "type": "string",
+                      "description": "Type of the search item"
+                    },
+                    {
+                      "name": "source",
+                      "type": "string",
+                      "description": "Source identifier"
+                    },
+                    {
+                      "name": "source_name",
+                      "type": "string",
+                      "description": "Human-readable source name"
+                    },
+                    {
+                      "name": "id",
+                      "type": "string",
+                      "description": "Unique identifier of the item"
+                    },
+                    {
+                      "name": "keyword",
+                      "type": "string",
+                      "description": "Matched keyword"
+                    },
+                    {
+                      "name": "category_name",
+                      "type": "string",
+                      "description": "Category of the event"
+                    },
+                    {
+                      "name": "content_preview",
+                      "type": "dynamic",
+                      "description": "Preview of the content"
+                    },
+                    {
+                      "name": "content",
+                      "type": "string",
+                      "description": "Full content of the event"
+                    },
+                    {
+                      "name": "alert_content",
+                      "type": "string",
+                      "description": "Content formatted for alerting"
+                    },
+                    {
+                      "name": "highlights",
+                      "type": "dynamic",
+                      "description": "Highlighted matches in the content"
+                    },
+                    {
+                      "name": "risk",
+                      "type": "dynamic",
+                      "description": "Risk object containing score"
+                    },
+                    {
+                      "name": "tags",
+                      "type": "dynamic",
+                      "description": "List of tags"
+                    },
+                    {
+                      "name": "related",
+                      "type": "dynamic",
+                      "description": "List of related URLs"
+                    },
+                    {
+                      "name": "user_risk_score",
+                      "type": "int",
+                      "description": "User-assigned risk score override"
+                    },
+                    {
+                      "name": "user_notes",
+                      "type": "string",
+                      "description": "User notes on the event"
+                    },
+                    {
+                      "name": "data",
+                      "type": "dynamic",
+                      "description": "Additional data payload"
+                    },
+                    {
+                      "name": "uid",
+                      "type": "string",
+                      "description": "Unique identifier (UID format)"
+                    },
+                    {
+                      "name": "external_url",
+                      "type": "string",
+                      "description": "External URL reference"
+                    },
+                    {
+                      "name": "identifiers",
+                      "type": "dynamic",
+                      "description": "Array of matched identifiers [{id, type, name, query, group}]"
+                    },
+                    {
+                      "name": "sort",
+                      "type": "string"
+                    },
+                    {
+                      "name": "asset_uuids",
+                      "type": "dynamic",
+                      "description": "List of related asset UUIDs"
+                    },
+                    {
+                      "name": "code",
+                      "type": "dynamic",
+                      "description": "Code metadata"
+                    },
+                    {
+                      "name": "author_id",
+                      "type": "string",
+                      "description": "Author identifier"
+                    },
+                    {
+                      "name": "project_name",
+                      "type": "string",
+                      "description": "Project name (for code-related events)"
+                    },
+                    {
+                      "name": "sha",
+                      "type": "string",
+                      "description": "Commit SHA (for code-related events)"
+                    },
+                    {
+                      "name": "actor",
+                      "type": "string",
+                      "description": "Actor/threat actor name"
+                    },
+                    {
+                      "name": "victim_name",
+                      "type": "string",
+                      "description": "Victim name if applicable"
                     }
+                  ]
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition1'),'-', variables('dataConnectorCCPVersion'))))]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "version": "[variables('dataConnectorCCPVersion')]"
+      }
+    },
+    {
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]",
+      "apiVersion": "2022-09-01-preview",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
+      "location": "[parameters('workspace-location')]",
+      "kind": "Customizable",
+      "properties": {
+        "connectorUiConfig": {
+          "availability": {
+            "status": 1
+          },
+          "connectivityCriteria": [
+            {
+              "type": "IsConnectedQuery",
+              "value": [
+                "FireworkV2_CL\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(7d)"
+              ]
+            }
+          ],
+          "dataTypes": [
+            {
+              "name": "FireworkV2_CL",
+              "lastDataReceivedQuery": "FireworkV2_CL\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+            }
+          ],
+          "descriptionMarkdown": "The [Flare](https://flare.io) connector provides the capability to ingest threat intelligence and exposure data from Flare into Microsoft Sentinel. Flare identifies your company's digital assets made publicly available due to human error or malicious attacks, including leaked credentials, exposed cloud buckets, darkweb mentions, and more.",
+          "graphQueriesTableName": "FireworkV2_CL",
+          "graphQueries": [
+            {
+              "metricName": "Total Flare Events",
+              "legend": "FireworkV2_CL",
+              "baseQuery": "FireworkV2_CL"
+            }
+          ],
+          "sampleQueries": [
+            {
+              "description": "Flare - All Events",
+              "query": "{{graphQueriesTableName}} \n | sort by TimeGenerated desc"
+            },
+            {
+              "description": "Flare - High Risk Events (Score >= 4)",
+              "query": "{{graphQueriesTableName}} \n | where RiskScore >= 4\n | project TimeGenerated, EventSeverity, EventType, ['title'], source_name, RiskScore, Url\n | sort by TimeGenerated desc"
+            },
+            {
+              "description": "Flare - Credential Leaks",
+              "query": "{{graphQueriesTableName}} \n | where EventType == \"CredentialLeak\"\n | project TimeGenerated, EventSeverity, ['title'], source_name, keyword, RiskScore\n | sort by TimeGenerated desc"
+            },
+            {
+              "description": "Flare - Events by Severity",
+              "query": "{{graphQueriesTableName}} \n | summarize Count = count() by EventSeverity\n | order by Count desc"
+            },
+            {
+              "description": "Flare - Events by Type",
+              "query": "{{graphQueriesTableName}} \n | summarize Count = count() by EventType\n | order by Count desc"
+            }
+          ],
+          "id": "FireworkPush",
+          "instructionSteps": [
+            {
+              "title": "1. Create ARM Resources and Provide the Required Permissions",
+              "description": "This connector enables Flare to send threat exposure data to Microsoft Sentinel. When data forwarding is enabled in Flare, raw event data is sent securely to the Microsoft Sentinel Ingestion API.",
+              "instructions": [
+                {
+                  "type": "Markdown",
+                  "parameters": {
+                    "content": "#### Automated Configuration and Secure Data Ingestion with Entra Application \nClicking on \"Deploy\" will create Log Analytics tables and a Data Collection Rule (DCR). It will then create an Entra application, link the DCR to it, and set the entered secret in the application. This setup enables data to be sent securely to the DCR using an Entra token."
                   }
                 },
-                "parameters": {
-                  "$connections": {
-                    "value": {
-                      "azuresentinel": {
-                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
-                        "connectionName": "[[variables('AzureSentinelConnectionName')]",
-                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
-                        "connectionProperties": {
-                          "authentication": {
-                            "type": "ManagedServiceIdentity"
-                          }
-                        }
-                      },
-                      "office365": {
-                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]",
-                        "connectionName": "[[variables('o365ConnectionName')]",
-                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]"
-                      }
-                    }
-                  }
+                {
+                  "parameters": {
+                    "label": "Deploy Flare connector resources",
+                    "applicationDisplayName": "Flare Connector Application"
+                  },
+                  "type": "DeployPushConnectorButton"
                 }
-              }
+              ]
             },
             {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]",
-              "properties": {
-                "parentId": "[variables('playbookId1')]",
-                "contentId": "[variables('_playbookContentId1')]",
-                "kind": "Playbook",
-                "version": "[variables('playbookVersion1')]",
-                "source": {
-                  "kind": "Solution",
-                  "name": "Flare",
-                  "sourceId": "[variables('_solutionId')]"
+              "title": "2. Configure Flare to Send Logs to Microsoft Sentinel",
+              "description": "Use the following parameters to configure Flare to send logs to your workspace.",
+              "instructions": [
+                {
+                  "parameters": {
+                    "label": "Entra App Registration Application ID",
+                    "fillWith": [
+                      "ApplicationId"
+                    ],
+                    "placeholder": "Deploy push connector to get the App Registration Application ID"
+                  },
+                  "type": "CopyableLabel"
                 },
-                "author": {
-                  "name": "Flare",
-                  "email": "[variables('_email')]"
+                {
+                  "parameters": {
+                    "label": "Tenant ID (Directory ID)",
+                    "fillWith": [
+                      "TenantId"
+                    ]
+                  },
+                  "type": "CopyableLabel"
                 },
-                "support": {
-                  "name": "Flare",
-                  "email": "support@flare.io",
-                  "tier": "Partner",
-                  "link": "https://flare.io/contact/"
+                {
+                  "parameters": {
+                    "label": "Entra App Registration Secret",
+                    "fillWith": [
+                      "ApplicationSecret"
+                    ],
+                    "placeholder": "Deploy push connector to get the App Registration Secret"
+                  },
+                  "type": "CopyableLabel"
+                },
+                {
+                  "parameters": {
+                    "label": "Log Ingestion URL",
+                    "fillWith": [
+                      "DataCollectionEndpoint",
+                      "DataCollectionRuleId"
+                    ],
+                    "placeholder": "Deploy push connector to get the Data Collection Endpoint URI",
+                    "value": "{0}/dataCollectionRules/{1}/streams/Custom-FireworkEventsStream?api-version=2023-01-01"
+                  },
+                  "type": "CopyableLabel"
                 }
-              }
+              ]
+            },
+            {
+              "title": "3. Configure Alert Channel in Flare",
+              "description": "As an organization administrator, authenticate on [Flare](https://app.flare.io) and access the [alerts page](https://app.flare.io/#/alerts?activeTab=alert-channels) to create a new alert channel. Select 'Microsoft Sentinel' and copy the above fields in the form. For more details, refer to the [Flare documentation](https://docs.flare.io).",
+              "instructions": []
             }
           ],
-          "metadata": {
-            "title": "credential-warning",
-            "description": "This playbook monitors all data received from Firework looking for leaked credentials (email:password combinations). When found, this playbook will send an email to the email address warning their password has been leaked, recommending appropriate measures if necessary. To learn more about how to connect Firework to Microsoft Sentinel, see the [API documentation](https://docs.flared.io/azure-sentinel-integration).",
-            "lastUpdateTime": "2022-07-31T00:00:00Z",
-            "releaseNotes": [
+          "permissions": {
+            "resourceProvider": [
               {
-                "version": "1.0.0",
-                "title": "credential-warning",
-                "notes": [
-                  "Initial version"
-                ]
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "read and write permissions are required.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                  "write": true,
+                  "read": true,
+                  "delete": true
+                }
+              }
+            ],
+            "customs": [
+              {
+                "name": "Microsoft Entra",
+                "description": "Permission to create an app registration in Microsoft Entra ID."
+              },
+              {
+                "name": "Microsoft Azure",
+                "description": "Permission to assign Monitoring Metrics Publisher role on data collection rule (DCR)."
+              },
+              {
+                "name": "Flare",
+                "description": "Permission to configure Microsoft Sentinel integration in Flare."
               }
             ]
-          }
-        },
-        "packageKind": "Solution",
-        "packageVersion": "[variables('_solutionVersion')]",
-        "packageName": "[variables('_solutionName')]",
-        "packageId": "[variables('_solutionId')]",
-        "contentSchemaVersion": "3.0.0",
-        "contentId": "[variables('_playbookContentId1')]",
-        "contentKind": "Playbook",
-        "displayName": "credential-warning",
-        "contentProductId": "[variables('_playbookcontentProductId1')]",
-        "id": "[variables('_playbookcontentProductId1')]",
-        "version": "[variables('playbookVersion1')]"
+          },
+          "publisher": "Flare Systems",
+          "title": "Flare Push Connector"
+        }
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2022-02-01",
-      "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]",
+      "apiVersion": "2022-01-01-preview",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
       "properties": {
-        "description": "Flare Analytics Rule 1 with template",
-        "displayName": "Flare Analytics Rule template"
+        "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]",
+        "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
+        "kind": "DataConnector",
+        "version": "[variables('dataConnectorCCPVersion')]",
+        "source": {
+          "sourceId": "[variables('_solutionId')]",
+          "name": "[variables('_solutionName')]",
+          "kind": "Solution"
+        },
+        "author": {
+          "name": "Flare",
+          "email": "[variables('_email')]"
+        },
+        "support": {
+          "name": "Flare",
+          "email": "support@flare.io",
+          "tier": "Partner",
+          "link": "https://flare.io/contact/"
+        },
+        "dependencies": {
+          "criteria": [
+            {
+              "version": "[variables('dataConnectorCCPVersion')]",
+              "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+              "kind": "ResourcesDataConnector"
+            }
+          ]
+        }
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2022-02-01",
-      "name": "[concat(variables('analyticRuleObject1').analyticRuleTemplateSpecName1,'/',variables('analyticRuleObject1').analyticRuleVersion1)]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections1'), variables('dataConnectorCCPVersion'))]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject1').analyticRuleTemplateSpecName1)]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "FlareCloudBucket_AnalyticalRules Analytics Rule with template version 2.1.1",
+        "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+        "displayName": "Flare Push Connector",
+        "contentKind": "ResourcesDataConnector",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
-          "parameters": {},
-          "variables": {},
-          "resources": [
-            {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
-              "apiVersion": "2023-02-01-preview",
-              "kind": "Scheduled",
-              "location": "[parameters('workspace-location')]",
-              "properties": {
-                "description": "Results found on an publicly available cloud bucket",
-                "displayName": "Flare Cloud bucket result",
-                "enabled": false,
-                "query": "FireworkV2_CL\n| where source_s contains \"Grayhat_warfare\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
-                "queryFrequency": "PT1H",
-                "queryPeriod": "PT1H",
-                "severity": "Medium",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
-                  {
-                    "connectorId": "Flare",
-                    "dataTypes": [
-                      "FireworkV2_CL"
-                    ]
-                  }
-                ],
-                "tactics": [
-                  "Reconnaissance"
-                ],
-                "techniques": [
-                  "T1593"
-                ]
+          "contentVersion": "[variables('dataConnectorCCPVersion')]",
+          "parameters": {
+            "guidValue": {
+              "defaultValue": "[[newGuid()]",
+              "type": "securestring"
+            },
+            "innerWorkspace": {
+              "defaultValue": "[parameters('workspace')]",
+              "type": "securestring"
+            },
+            "auth": {
+              "type": "object",
+              "defaultValue": {
+                "appId": "[[parameters('auth').appId]]",
+                "servicePrincipalId": "[[parameters('auth').servicePrincipalId]]"
               }
             },
+            "connectorDefinitionName": {
+              "defaultValue": "Flare Push Connector",
+              "type": "securestring",
+              "minLength": 1
+            },
+            "workspace": {
+              "defaultValue": "[parameters('workspace')]",
+              "type": "securestring"
+            },
+            "dcrConfig": {
+              "defaultValue": {
+                "dataCollectionEndpoint": "data collection Endpoint",
+                "dataCollectionRuleImmutableId": "data collection rule immutableId"
+              },
+              "type": "object"
+            }
+          },
+          "variables": {
+            "_dataConnectorContentIdConnections1": "[variables('_dataConnectorContentIdConnections1')]"
+          },
+          "resources": [
             {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections1')))]",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]",
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "properties": {
-                "description": "Flare Analytics Rule 1",
-                "parentId": "[variables('analyticRuleObject1').analyticRuleId1]",
-                "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleObject1').analyticRuleVersion1]",
+                "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections1'))]",
+                "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+                "kind": "ResourcesDataConnector",
+                "version": "[variables('dataConnectorCCPVersion')]",
                 "source": {
-                  "kind": "Solution",
-                  "name": "Flare",
-                  "sourceId": "[variables('_solutionId')]"
+                  "sourceId": "[variables('_solutionId')]",
+                  "name": "[variables('_solutionName')]",
+                  "kind": "Solution"
                 },
                 "author": {
                   "name": "Flare",
@@ -711,90 +1048,89 @@
                   "link": "https://flare.io/contact/"
                 }
               }
+            },
+            {
+              "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'FireworkPushConnectorPolling', parameters('guidValue'))]",
+              "apiVersion": "2023-02-01-preview",
+              "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+              "location": "[parameters('workspace-location')]",
+              "kind": "Push",
+              "properties": {
+                "connectorDefinitionName": "FireworkPush",
+                "dcrConfig": {
+                  "streamName": "Custom-FireworkEventsStream",
+                  "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+                  "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
+                },
+                "auth": {
+                  "type": "Push",
+                  "AppId": "[[parameters('auth').appId]",
+                  "ServicePrincipalId": "[[parameters('auth').servicePrincipalId]"
+                },
+                "request": {
+                  "RetryCount": 1
+                },
+                "response": {
+                  "eventsJsonPaths": [
+                    "$.items"
+                  ]
+                }
+              }
             }
           ]
-        }
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections1'),'-', variables('dataConnectorCCPVersion'))))]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "version": "[variables('dataConnectorCCPVersion')]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2022-02-01",
-      "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
-      "properties": {
-        "description": "Flare Analytics Rule 2 with template",
-        "displayName": "Flare Analytics Rule template"
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2022-02-01",
-      "name": "[concat(variables('analyticRuleObject2').analyticRuleTemplateSpecName2,'/',variables('analyticRuleObject2').analyticRuleVersion2)]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('workbookTemplateSpecName1')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject2').analyticRuleTemplateSpecName2)]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "FlareCredentialLeaks_AnalyticalRules Analytics Rule with template version 2.1.1",
+        "description": "FlareSystemsFireworkOverview Workbook with template version 3.1.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
+          "contentVersion": "[variables('workbookVersion1')]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
-              "apiVersion": "2023-02-01-preview",
-              "kind": "Scheduled",
+              "type": "Microsoft.Insights/workbooks",
+              "name": "[variables('workbookContentId1')]",
               "location": "[parameters('workspace-location')]",
+              "kind": "shared",
+              "apiVersion": "2021-08-01",
+              "metadata": {
+                "description": "Select the time range for this Overview."
+              },
               "properties": {
-                "description": "Searches for Flare Leaked Credentials",
-                "displayName": "Flare Leaked Credentials",
-                "enabled": false,
-                "query": "FireworkV2_CL\n| where notempty(data_new_leaks_s) and source_s != 'stealer_logs_samples'\n",
-                "queryFrequency": "PT1H",
-                "queryPeriod": "PT1H",
-                "severity": "Medium",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
-                  {
-                    "connectorId": "Flare",
-                    "dataTypes": [
-                      "FireworkV2_CL"
-                    ]
-                  }
-                ],
-                "tactics": [
-                  "CredentialAccess"
-                ],
-                "techniques": [
-                  "T1110"
-                ]
+                "displayName": "[parameters('workbook1-name')]",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Firework Logs by Risk Score\\n---\\n\\nDisplays Flare events from the past 30 days, broken down by risk score level.\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"FireworkV2_CL\\n| make-series num=count() on TimeGenerated from ago(30d) to now() step 8h by strcat(\\\"Risk Score \\\", tostring(RiskScore))\\n| render timechart\",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Risk Score 2\",\"color\":\"turquoise\"},{\"seriesName\":\"Risk Score 3\",\"color\":\"yellow\"},{\"seriesName\":\"Risk Score 4\",\"color\":\"orange\"},{\"seriesName\":\"Risk Score 1\",\"color\":\"lightBlue\"}]}},\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"# Collected Document Sources\\n\\nDisplays a daily bar chart of events over the last 30 days, broken down by source.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"FireworkV2_CL\\n| make-series num=count() on TimeGenerated from ago(30d) to now() step 1d by source\\n| where isnotempty(source)\\n| render barchart \",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"FireworkV2_CL\\n| where TimeGenerated >= ago(30d)\\n| summarize num=count() by source\\n| where notempty(source)\\n| render piechart\",\"size\":2,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 6\"},{\"type\":1,\"content\":{\"json\":\"# Leaked Credential Events\\n---\\n\\nDisplays a time chart of leaked credential events over the last 30 days, plotted every 8 hours.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"FireworkV2_CL\\n| where notempty(uid) and substring(uid, 0, indexof(uid, \\\"/\\\")) == \\\"leaked_credential\\\" \\n| make-series Total_Leaked_Credentials=count() on TimeGenerated from ago(30d) to now() step 8h \\n| render timechart\",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Total_Leaked_Credentials\",\"color\":\"redBright\"}]}},\"name\":\"query - 4\"}],\"fromTemplateId\":\"sentinel-FireworkWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
+                "version": "1.0",
+                "sourceId": "[variables('workspaceResourceId')]",
+                "category": "sentinel"
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
               "properties": {
-                "description": "Flare Analytics Rule 2",
-                "parentId": "[variables('analyticRuleObject2').analyticRuleId2]",
-                "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleObject2').analyticRuleVersion2]",
+                "description": "@{workbookKey=FireworkWorkbook; logoFileName=Flare.svg; description=Select the time range for this Overview.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=FlareSystemsFirework; templateRelativePath=FlareSystemsFireworkOverview.json; subtitle=; provider=Flare Systems}.description",
+                "parentId": "[variables('workbookId1')]",
+                "contentId": "[variables('_workbookContentId1')]",
+                "kind": "Workbook",
+                "version": "[variables('workbookVersion1')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Flare",
@@ -809,492 +1145,350 @@
                   "email": "support@flare.io",
                   "tier": "Partner",
                   "link": "https://flare.io/contact/"
+                },
+                "dependencies": {
+                  "operator": "AND",
+                  "criteria": [
+                    {
+                      "contentId": "Firework_CL",
+                      "kind": "DataType"
+                    },
+                    {
+                      "contentId": "FlareSystemsFirework",
+                      "kind": "DataConnector"
+                    }
+                  ]
                 }
               }
             }
           ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2022-02-01",
-      "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
-      "properties": {
-        "description": "Flare Analytics Rule 3 with template",
-        "displayName": "Flare Analytics Rule template"
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_workbookContentId1')]",
+        "contentKind": "Workbook",
+        "displayName": "[parameters('workbook1-name')]",
+        "contentProductId": "[variables('_workbookcontentProductId1')]",
+        "id": "[variables('_workbookcontentProductId1')]",
+        "version": "[variables('workbookVersion1')]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2022-02-01",
-      "name": "[concat(variables('analyticRuleObject3').analyticRuleTemplateSpecName3,'/',variables('analyticRuleObject3').analyticRuleVersion3)]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('playbookTemplateSpecName1')]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject3').analyticRuleTemplateSpecName3)]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "FlareDork_AnalyticalRules Analytics Rule with template version 2.1.1",
+        "description": "credential-warning Playbook with template version 3.1.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
-          "parameters": {},
-          "variables": {},
+          "contentVersion": "[variables('playbookVersion1')]",
+          "parameters": {
+            "PlaybookName": {
+              "defaultValue": "credential-warning",
+              "type": "string"
+            }
+          },
+          "variables": {
+            "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]",
+            "o365ConnectionName": "[[concat('o365-', parameters('PlaybookName'))]",
+            "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+            "_connection-1": "[[variables('connection-1')]",
+            "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]",
+            "_connection-2": "[[variables('connection-2')]",
+            "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+            "workspace-name": "[parameters('workspace')]",
+            "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+          },
           "resources": [
             {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
-              "apiVersion": "2023-02-01-preview",
-              "kind": "Scheduled",
-              "location": "[parameters('workspace-location')]",
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('AzureSentinelConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "kind": "V1",
               "properties": {
-                "description": "Results using a dork on google was found",
-                "displayName": "Flare Google Dork result found",
-                "enabled": false,
-                "query": "FireworkV2_CL\n| where source_s contains \"google_search\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
-                "queryFrequency": "PT1H",
-                "queryPeriod": "PT1H",
-                "severity": "Medium",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
-                  {
-                    "connectorId": "Flare",
-                    "dataTypes": [
-                      "FireworkV2_CL"
-                    ]
-                  }
-                ],
-                "tactics": [
-                  "Reconnaissance"
-                ],
-                "techniques": [
-                  "T1593"
-                ]
+                "displayName": "[[variables('AzureSentinelConnectionName')]",
+                "parameterValueType": "Alternative",
+                "api": {
+                  "id": "[[variables('_connection-1')]"
+                }
               }
             },
             {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]",
+              "type": "Microsoft.Web/connections",
+              "apiVersion": "2016-06-01",
+              "name": "[[variables('o365ConnectionName')]",
+              "location": "[[variables('workspace-location-inline')]",
               "properties": {
-                "description": "Flare Analytics Rule 3",
-                "parentId": "[variables('analyticRuleObject3').analyticRuleId3]",
-                "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleObject3').analyticRuleVersion3]",
-                "source": {
-                  "kind": "Solution",
-                  "name": "Flare",
-                  "sourceId": "[variables('_solutionId')]"
-                },
-                "author": {
-                  "name": "Flare",
-                  "email": "[variables('_email')]"
-                },
-                "support": {
-                  "name": "Flare",
-                  "email": "support@flare.io",
-                  "tier": "Partner",
-                  "link": "https://flare.io/contact/"
+                "displayName": "[[parameters('PlaybookName')]",
+                "api": {
+                  "id": "[[variables('_connection-2')]"
                 }
               }
-            }
-          ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2022-02-01",
-      "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
-      "properties": {
-        "description": "Flare Analytics Rule 4 with template",
-        "displayName": "Flare Analytics Rule template"
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2022-02-01",
-      "name": "[concat(variables('analyticRuleObject4').analyticRuleTemplateSpecName4,'/',variables('analyticRuleObject4').analyticRuleVersion4)]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
-      "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject4').analyticRuleTemplateSpecName4)]"
-      ],
-      "properties": {
-        "description": "FlareHost_AnalyticalRules Analytics Rule with template version 2.1.1",
-        "mainTemplate": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
-          "parameters": {},
-          "variables": {},
-          "resources": [
-            {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
-              "apiVersion": "2023-02-01-preview",
-              "kind": "Scheduled",
-              "location": "[parameters('workspace-location')]",
-              "properties": {
-                "description": "Results found relating to IP, domain or host",
-                "displayName": "Flare Host result",
-                "enabled": false,
-                "query": "FireworkV2_CL\n| where source_s contains \"driller_shodan\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
-                "queryFrequency": "PT1H",
-                "queryPeriod": "PT1H",
-                "severity": "Medium",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
-                  {
-                    "connectorId": "Flare",
-                    "dataTypes": [
-                      "FireworkV2_CL"
-                    ]
-                  }
-                ],
-                "tactics": [
-                  "Reconnaissance"
-                ],
-                "techniques": [
-                  "T1596"
-                ]
-              }
             },
             {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]",
-              "properties": {
-                "description": "Flare Analytics Rule 4",
-                "parentId": "[variables('analyticRuleObject4').analyticRuleId4]",
-                "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleObject4').analyticRuleVersion4]",
-                "source": {
-                  "kind": "Solution",
-                  "name": "Flare",
-                  "sourceId": "[variables('_solutionId')]"
-                },
-                "author": {
-                  "name": "Flare",
-                  "email": "[variables('_email')]"
-                },
-                "support": {
-                  "name": "Flare",
-                  "email": "support@flare.io",
-                  "tier": "Partner",
-                  "link": "https://flare.io/contact/"
-                }
-              }
-            }
-          ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2022-02-01",
-      "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
-      "properties": {
-        "description": "Flare Analytics Rule 5 with template",
-        "displayName": "Flare Analytics Rule template"
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2022-02-01",
-      "name": "[concat(variables('analyticRuleObject5').analyticRuleTemplateSpecName5,'/',variables('analyticRuleObject5').analyticRuleVersion5)]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
-      "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject5').analyticRuleTemplateSpecName5)]"
-      ],
-      "properties": {
-        "description": "FlareInfectedDevice_AnalyticalRules Analytics Rule with template version 2.1.1",
-        "mainTemplate": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
-          "parameters": {},
-          "variables": {},
-          "resources": [
-            {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
-              "apiVersion": "2023-02-01-preview",
-              "kind": "Scheduled",
-              "location": "[parameters('workspace-location')]",
-              "properties": {
-                "description": "Infected Device found on darkweb or Telegram",
-                "displayName": "Flare Infected Device",
-                "enabled": false,
-                "query": "FireworkV2_CL\n| where category_name_s contains \"Infected Device\" or source_s==\"genesis_market\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
-                "queryFrequency": "PT1H",
-                "queryPeriod": "PT1H",
-                "severity": "Medium",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
-                  {
-                    "connectorId": "Flare",
-                    "dataTypes": [
-                      "FireworkV2_CL"
-                    ]
-                  }
-                ],
-                "tactics": [
-                  "CredentialAccess"
-                ],
-                "techniques": [
-                  "T1555"
-                ]
-              }
-            },
-            {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]",
-              "properties": {
-                "description": "Flare Analytics Rule 5",
-                "parentId": "[variables('analyticRuleObject5').analyticRuleId5]",
-                "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleObject5').analyticRuleVersion5]",
-                "source": {
-                  "kind": "Solution",
-                  "name": "Flare",
-                  "sourceId": "[variables('_solutionId')]"
-                },
-                "author": {
-                  "name": "Flare",
-                  "email": "[variables('_email')]"
-                },
-                "support": {
-                  "name": "Flare",
-                  "email": "support@flare.io",
-                  "tier": "Partner",
-                  "link": "https://flare.io/contact/"
-                }
-              }
-            }
-          ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2022-02-01",
-      "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
-      "properties": {
-        "description": "Flare Analytics Rule 6 with template",
-        "displayName": "Flare Analytics Rule template"
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2022-02-01",
-      "name": "[concat(variables('analyticRuleObject6').analyticRuleTemplateSpecName6,'/',variables('analyticRuleObject6').analyticRuleVersion6)]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
-      "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject6').analyticRuleTemplateSpecName6)]"
-      ],
-      "properties": {
-        "description": "FlarePaste_AnalyticalRules Analytics Rule with template version 2.1.1",
-        "mainTemplate": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
-          "parameters": {},
-          "variables": {},
-          "resources": [
-            {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
-              "apiVersion": "2023-02-01-preview",
-              "kind": "Scheduled",
-              "location": "[parameters('workspace-location')]",
+              "type": "Microsoft.Logic/workflows",
+              "apiVersion": "2017-07-01",
+              "name": "[[parameters('PlaybookName')]",
+              "location": "[[variables('workspace-location-inline')]",
+              "tags": {
+                "LogicAppsCategory": "security",
+                "hidden-SentinelTemplateName": "PlaybookName",
+                "hidden-SentinelTemplateVersion": "1.0",
+                "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+              },
+              "identity": {
+                "type": "SystemAssigned"
+              },
+              "dependsOn": [
+                "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
+                "[[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]"
+              ],
               "properties": {
-                "description": "Result found on code Snippet (paste) sharing platform",
-                "displayName": "Flare Paste result",
-                "enabled": false,
-                "query": "FireworkV2_CL\n| where source_s in (\"gist_github\",\"Pastebin\",\"driller_stackexchange\") and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
-                "queryFrequency": "PT1H",
-                "queryPeriod": "PT1H",
-                "severity": "Medium",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
-                  {
-                    "connectorId": "Flare",
-                    "dataTypes": [
-                      "FireworkV2_CL"
-                    ]
+                "state": "Disabled",
+                "definition": {
+                  "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+                  "parameters": {
+                    "$connections": {
+                      "type": "Object"
+                    }
+                  },
+                  "actions": {
+                    "For_each": {
+                      "actions": {
+                        "For_each_2": {
+                          "actions": {
+                            "For_each_3": {
+                              "actions": {
+                                "Send_an_email_(V2)": {
+                                  "inputs": {
+                                    "body": {
+                                      "Body": "<p>Hello,<br>\n<br>\nThis is a message to warn you we believe a password you had been using has &nbsp;been leaked online, as part of a data breach.<br>\n<br>\nIf the following password is one you are still using commonly, we recommend changing it as soon as possible.<br>\n<br>\n@{items('For_each_3')['hash']}<br>\n<br>\nIn addition we want to remind you not to use your corporate email address to register to services outside of work.<br>\n<br>\nCordially,<br>\n<br>\nSecurity Team<br>\n</p>",
+                                      "Subject": "Possible compromised password",
+                                      "To": "blank@flare.systems"
+                                    },
+                                    "host": {
+                                      "connection": {
+                                        "name": "@parameters('$connections')['office365']['connectionId']"
+                                      }
+                                    },
+                                    "method": "post",
+                                    "path": "/v2/Mail"
+                                  },
+                                  "type": "ApiConnection"
+                                }
+                              },
+                              "foreach": "@items('For_each_2')['passwords']",
+                              "type": "Foreach"
+                            }
+                          },
+                          "foreach": "@body('Parse_JSON')",
+                          "runAfter": {
+                            "Parse_JSON": [
+                              "Succeeded"
+                            ]
+                          },
+                          "type": "Foreach"
+                        },
+                        "Parse_JSON": {
+                          "inputs": {
+                            "content": "@items('For_each')",
+                            "schema": {
+                              "items": {
+                                "properties": {
+                                  "name": {
+                                    "type": "string"
+                                  },
+                                  "passwords": {
+                                    "items": {
+                                      "properties": {
+                                        "extra": {
+                                          "type": "object"
+                                        },
+                                        "hash": {
+                                          "type": "string"
+                                        },
+                                        "hash_type": {
+                                          "type": "string"
+                                        },
+                                        "id": {
+                                          "type": "integer"
+                                        },
+                                        "imported_at": {
+                                          "type": "string"
+                                        },
+                                        "source_id": {
+                                          "type": "string"
+                                        },
+                                        "source_params": {
+                                          "properties": {
+                                            "line": {
+                                              "type": "integer"
+                                            }
+                                          },
+                                          "type": "object"
+                                        }
+                                      },
+                                      "required": [
+                                        "id",
+                                        "hash",
+                                        "hash_type",
+                                        "extra",
+                                        "domain",
+                                        "source_id",
+                                        "source_params",
+                                        "imported_at"
+                                      ],
+                                      "type": "object"
+                                    },
+                                    "type": "array"
+                                  }
+                                },
+                                "required": [
+                                  "name",
+                                  "passwords"
+                                ],
+                                "type": "object"
+                              },
+                              "type": "array"
+                            }
+                          },
+                          "type": "ParseJson"
+                        }
+                      },
+                      "foreach": "@variables('leaks')['leaked_credentials']",
+                      "runAfter": {
+                        "Initialize_variable": [
+                          "Succeeded"
+                        ]
+                      },
+                      "type": "Foreach"
+                    },
+                    "Initialize_variable": {
+                      "inputs": {
+                        "variables": [
+                          {
+                            "name": "leaks",
+                            "type": "object",
+                            "value": "@json(body('Parse_JSON_2')['Custom Details'])"
+                          }
+                        ]
+                      },
+                      "runAfter": {
+                        "Parse_JSON_2": [
+                          "Succeeded"
+                        ]
+                      },
+                      "type": "InitializeVariable"
+                    },
+                    "Parse_JSON_2": {
+                      "inputs": {
+                        "content": "@triggerBody()?['ExtendedProperties']",
+                        "schema": {
+                          "properties": {
+                            "Analytic Rule Ids": {
+                              "type": "string"
+                            },
+                            "Analytic Rule Name": {
+                              "type": "string"
+                            },
+                            "Custom Details": {
+                              "type": "string"
+                            },
+                            "Data Sources": {
+                              "type": "string"
+                            },
+                            "Event Grouping": {
+                              "type": "string"
+                            },
+                            "ProcessedBySentinel": {
+                              "type": "string"
+                            },
+                            "Query": {
+                              "type": "string"
+                            },
+                            "Query End Time UTC": {
+                              "type": "string"
+                            },
+                            "Query Period": {
+                              "type": "string"
+                            },
+                            "Query Start Time UTC": {
+                              "type": "string"
+                            },
+                            "Search Query Results Overall Count": {
+                              "type": "string"
+                            },
+                            "Trigger Operator": {
+                              "type": "string"
+                            },
+                            "Trigger Threshold": {
+                              "type": "string"
+                            }
+                          },
+                          "type": "object"
+                        }
+                      },
+                      "type": "ParseJson"
+                    }
+                  },
+                  "contentVersion": "1.0.0.0",
+                  "triggers": {
+                    "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
+                      "inputs": {
+                        "body": {
+                          "callback_url": "@{listCallbackUrl()}"
+                        },
+                        "host": {
+                          "connection": {
+                            "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+                          }
+                        },
+                        "path": "/subscribe"
+                      },
+                      "type": "ApiConnectionWebhook"
+                    }
                   }
-                ],
-                "tactics": [
-                  "Reconnaissance"
-                ],
-                "techniques": [
-                  "T1593"
-                ]
-              }
-            },
-            {
-              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
-              "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]",
-              "properties": {
-                "description": "Flare Analytics Rule 6",
-                "parentId": "[variables('analyticRuleObject6').analyticRuleId6]",
-                "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleObject6').analyticRuleVersion6]",
-                "source": {
-                  "kind": "Solution",
-                  "name": "Flare",
-                  "sourceId": "[variables('_solutionId')]"
-                },
-                "author": {
-                  "name": "Flare",
-                  "email": "[variables('_email')]"
                 },
-                "support": {
-                  "name": "Flare",
-                  "email": "support@flare.io",
-                  "tier": "Partner",
-                  "link": "https://flare.io/contact/"
-                }
-              }
-            }
-          ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2022-02-01",
-      "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
-      "properties": {
-        "description": "Flare Analytics Rule 7 with template",
-        "displayName": "Flare Analytics Rule template"
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2022-02-01",
-      "name": "[concat(variables('analyticRuleObject7').analyticRuleTemplateSpecName7,'/',variables('analyticRuleObject7').analyticRuleVersion7)]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
-      "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject7').analyticRuleTemplateSpecName7)]"
-      ],
-      "properties": {
-        "description": "FlareSourceCode_AnalyticalRules Analytics Rule with template version 2.1.1",
-        "mainTemplate": {
-          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
-          "parameters": {},
-          "variables": {},
-          "resources": [
-            {
-              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
-              "apiVersion": "2023-02-01-preview",
-              "kind": "Scheduled",
-              "location": "[parameters('workspace-location')]",
-              "properties": {
-                "description": "Result found on Code Sharing platform",
-                "displayName": "Flare Source Code found",
-                "enabled": false,
-                "query": "FireworkV2_CL\n| where source_s contains \"driller_github\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
-                "queryFrequency": "PT1H",
-                "queryPeriod": "PT1H",
-                "severity": "Medium",
-                "suppressionDuration": "PT1H",
-                "suppressionEnabled": false,
-                "triggerOperator": "GreaterThan",
-                "triggerThreshold": 0,
-                "status": "Available",
-                "requiredDataConnectors": [
-                  {
-                    "connectorId": "Flare",
-                    "dataTypes": [
-                      "FireworkV2_CL"
-                    ]
-                  }
-                ],
-                "tactics": [
-                  "Reconnaissance"
-                ],
-                "techniques": [
-                  "T1593"
-                ]
+                "parameters": {
+                  "$connections": {
+                    "value": {
+                      "azuresentinel": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
+                        "connectionName": "[[variables('AzureSentinelConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+                        "connectionProperties": {
+                          "authentication": {
+                            "type": "ManagedServiceIdentity"
+                          }
+                        }
+                      },
+                      "office365": {
+                        "connectionId": "[[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]",
+                        "connectionName": "[[variables('o365ConnectionName')]",
+                        "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]"
+                      }
+                    }
+                  }
+                }
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]",
               "properties": {
-                "description": "Flare Analytics Rule 7",
-                "parentId": "[variables('analyticRuleObject7').analyticRuleId7]",
-                "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
-                "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleObject7').analyticRuleVersion7]",
+                "parentId": "[variables('playbookId1')]",
+                "contentId": "[variables('_playbookContentId1')]",
+                "kind": "Playbook",
+                "version": "[variables('playbookVersion1')]",
                 "source": {
                   "kind": "Solution",
                   "name": "Flare",
@@ -1312,55 +1506,62 @@
                 }
               }
             }
-          ]
-        }
-      }
-    },
-    {
-      "type": "Microsoft.Resources/templateSpecs",
-      "apiVersion": "2022-02-01",
-      "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]",
-      "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
-      "properties": {
-        "description": "Flare Analytics Rule 8 with template",
-        "displayName": "Flare Analytics Rule template"
+          ],
+          "metadata": {
+            "title": "credential-warning",
+            "description": "**This playbook is deprecated and will be replaced in a future update. Functionality may be limited or unavailable.**\nThis playbook monitors all data received from Firework looking for leaked credentials (email:password combinations). When found, this playbook will send an email to the email address warning their password has been leaked, recommending appropriate measures if necessary. To learn more about how to connect Firework to Microsoft Sentinel, see the [official documentation](https://docs.flare.io/sentinel-integration).",
+            "lastUpdateTime": "2022-07-31T00:00:00Z",
+            "releaseNotes": [
+              {
+                "version": "1.0.0",
+                "title": "credential-warning",
+                "notes": [
+                  "Initial version"
+                ]
+              }
+            ]
+          }
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('_playbookContentId1')]",
+        "contentKind": "Playbook",
+        "displayName": "credential-warning",
+        "contentProductId": "[variables('_playbookcontentProductId1')]",
+        "id": "[variables('_playbookcontentProductId1')]",
+        "version": "[variables('playbookVersion1')]"
       }
     },
     {
-      "type": "Microsoft.Resources/templateSpecs/versions",
-      "apiVersion": "2022-02-01",
-      "name": "[concat(variables('analyticRuleObject8').analyticRuleTemplateSpecName8,'/',variables('analyticRuleObject8').analyticRuleVersion8)]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]",
       "location": "[parameters('workspace-location')]",
-      "tags": {
-        "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
-        "hidden-sentinelContentType": "AnalyticsRule"
-      },
       "dependsOn": [
-        "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject8').analyticRuleTemplateSpecName8)]"
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "FlareSSLcert_AnalyticalRules Analytics Rule with template version 2.1.1",
+        "description": "FlareChat_AnalyticalRules Analytics Rule with template version 3.1.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-          "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
+          "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
           "parameters": {},
           "variables": {},
           "resources": [
             {
               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
-              "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
+              "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
               "apiVersion": "2023-02-01-preview",
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "SSL Certificate registration found",
-                "displayName": "Flare SSL Certificate result",
+                "description": "The Chat category includes conversations and posts from real-time messaging environments used by threat actors and fraud communities.",
+                "displayName": "Flare Chat Results",
                 "enabled": false,
-                "query": "FireworkV2_CL\n| where source_s contains \"certstream\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
+                "query": "FireworkV2_CL\n| where notempty(uid) and RiskScore >= 3\n| extend index_name = split(uid, \"/\")[0]\n| where index_name == \"chat_message\"\n",
                 "queryFrequency": "PT1H",
                 "queryPeriod": "PT1H",
                 "severity": "Medium",
@@ -1371,30 +1572,30 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "Flare",
                     "dataTypes": [
                       "FireworkV2_CL"
-                    ]
+                    ],
+                    "connectorId": "Flare"
                   }
                 ],
                 "tactics": [
-                  "ResourceDevelopment"
+                  "Reconnaissance"
                 ],
                 "techniques": [
-                  "T1583"
+                  "T1593"
                 ]
               }
             },
             {
               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
               "apiVersion": "2022-01-01-preview",
-              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]",
               "properties": {
-                "description": "Flare Analytics Rule 8",
-                "parentId": "[variables('analyticRuleObject8').analyticRuleId8]",
-                "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
+                "description": "Flare Analytics Rule 1",
+                "parentId": "[variables('analyticRuleObject1').analyticRuleId1]",
+                "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
                 "kind": "AnalyticsRule",
-                "version": "[variables('analyticRuleObject8').analyticRuleVersion8]",
+                "version": "[variables('analyticRuleObject1').analyticRuleVersion1]",
                 "source": {
                   "kind": "Solution",
                   "name": "Flare",
@@ -1421,7 +1622,7 @@
         "contentSchemaVersion": "3.0.0",
         "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Flare Cloud bucket result",
+        "displayName": "Flare Chat Results",
         "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
         "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
         "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
@@ -1436,7 +1637,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "FlareCredentialLeaks_AnalyticalRules Analytics Rule with template version 3.0.0",
+        "description": "FlareCloudBucket_AnalyticalRules Analytics Rule with template version 3.1.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -1450,10 +1651,10 @@
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Searches for Flare Leaked Credentials",
-                "displayName": "Flare Leaked Credentials",
+                "description": "Results found on an publicly available cloud bucket",
+                "displayName": "Flare Cloud Bucket Results",
                 "enabled": false,
-                "query": "FireworkV2_CL\n| where notempty(data.new_leaks) and tolower(source) != 'stealer_logs_samples'\n",
+                "query": "FireworkV2_CL\n| where notempty(uid) and RiskScore >= 3\n| extend index_name = split(uid, \"/\")[0]\n| where index_name == \"driller_bucket_object\" or index_name == \"bucket\"\n",
                 "queryFrequency": "PT1H",
                 "queryPeriod": "PT1H",
                 "severity": "Medium",
@@ -1471,10 +1672,10 @@
                   }
                 ],
                 "tactics": [
-                  "CredentialAccess"
+                  "Reconnaissance"
                 ],
                 "techniques": [
-                  "T1110"
+                  "T1593"
                 ]
               }
             },
@@ -1514,7 +1715,7 @@
         "contentSchemaVersion": "3.0.0",
         "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Flare Leaked Credentials",
+        "displayName": "Flare Cloud Bucket Results",
         "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
         "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
         "version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
@@ -1529,7 +1730,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "FlareDork_AnalyticalRules Analytics Rule with template version 3.0.0",
+        "description": "FlareCredentialLeaks_AnalyticalRules Analytics Rule with template version 3.1.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -1543,10 +1744,10 @@
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Results using a dork on google was found",
-                "displayName": "Flare Google Dork result found",
+                "description": "Leaked credentials results",
+                "displayName": "Flare Leaked Credentials Results",
                 "enabled": false,
-                "query": "FireworkV2_CL\n| where tolower(source) contains \"google_search\" and (RiskScore == 3 or RiskScore == 4 or RiskScore == 5)\n",
+                "query": "FireworkV2_CL\n| where notempty(uid) and RiskScore >= 3\n| extend index_name = split(uid, \"/\")[0]\n| where index_name == \"leaked_credential\"\n",
                 "queryFrequency": "PT1H",
                 "queryPeriod": "PT1H",
                 "severity": "Medium",
@@ -1564,10 +1765,10 @@
                   }
                 ],
                 "tactics": [
-                  "Reconnaissance"
+                  "CredentialAccess"
                 ],
                 "techniques": [
-                  "T1593"
+                  "T1110"
                 ]
               }
             },
@@ -1607,7 +1808,7 @@
         "contentSchemaVersion": "3.0.0",
         "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Flare Google Dork result found",
+        "displayName": "Flare Leaked Credentials Results",
         "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]",
         "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]",
         "version": "[variables('analyticRuleObject3').analyticRuleVersion3]"
@@ -1622,7 +1823,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "FlareHost_AnalyticalRules Analytics Rule with template version 3.0.0",
+        "description": "FlareDork_AnalyticalRules Analytics Rule with template version 3.1.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -1636,10 +1837,10 @@
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Results found relating to IP, domain or host",
-                "displayName": "Flare Host result",
+                "description": "Results using a Dork on Google was found",
+                "displayName": "Flare Google Dork Results",
                 "enabled": false,
-                "query": "FireworkV2_CL\n| where source contains \"driller_shodan\" and (RiskScore == 3 or RiskScore == 4 or RiskScore == 5)\n",
+                "query": "FireworkV2_CL\n| where notempty(uid) and RiskScore >= 3\n| extend index_name = split(uid, \"/\")[0]\n| extend category_name = split(uid, \"/\")[1]\n| where (index_name == \"driller_google\") or (index_name == \"driller\" and category_name contains \"google\")\n",
                 "queryFrequency": "PT1H",
                 "queryPeriod": "PT1H",
                 "severity": "Medium",
@@ -1660,7 +1861,7 @@
                   "Reconnaissance"
                 ],
                 "techniques": [
-                  "T1596"
+                  "T1593"
                 ]
               }
             },
@@ -1700,7 +1901,7 @@
         "contentSchemaVersion": "3.0.0",
         "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Flare Host result",
+        "displayName": "Flare Google Dork Results",
         "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]",
         "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]",
         "version": "[variables('analyticRuleObject4').analyticRuleVersion4]"
@@ -1715,7 +1916,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "FlareInfectedDevice_AnalyticalRules Analytics Rule with template version 3.0.0",
+        "description": "FlareHost_AnalyticalRules Analytics Rule with template version 3.1.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@@ -1729,10 +1930,10 @@
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Infected Device found on darkweb or Telegram",
-                "displayName": "Flare Infected Device",
+                "description": "Results found relating to IP, domain or host",
+                "displayName": "Flare Host Results",
                 "enabled": false,
-                "query": "FireworkV2_CL\n| where tolower(category_name) contains \"infected device\" or source==\"genesis_market\" and (RiskScore == 3 or RiskScore == 4 or RiskScore == 5)\n",
+                "query": "FireworkV2_CL\n| where notempty(uid) and RiskScore >= 3\n| extend index_name = split(uid, \"/\")[0]\n| where index_name == \"service\"\n",
                 "queryFrequency": "PT1H",
                 "queryPeriod": "PT1H",
                 "severity": "Medium",
@@ -1750,10 +1951,10 @@
                   }
                 ],
                 "tactics": [
-                  "CredentialAccess"
+                  "Reconnaissance"
                 ],
                 "techniques": [
-                  "T1555"
+                  "T1596"
                 ]
               }
             },
@@ -1793,7 +1994,7 @@
         "contentSchemaVersion": "3.0.0",
         "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Flare Infected Device",
+        "displayName": "Flare Host Results",
         "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]",
         "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]",
         "version": "[variables('analyticRuleObject5').analyticRuleVersion5]"
@@ -1808,7 +2009,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "FlarePaste_AnalyticalRules Analytics Rule with template version 3.0.0",
+        "description": "FlareInfectedDevice_AnalyticalRules Analytics Rule with template version 3.1.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@@ -1822,10 +2023,10 @@
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Result found on code Snippet (paste) sharing platform",
-                "displayName": "Flare Paste result",
+                "description": "Infected Device Results on Darkweb or Telegram",
+                "displayName": "Flare Infected Device Results",
                 "enabled": false,
-                "query": "FireworkV2_CL\n| where tolower(source) in (\"gist_github\",\"Pastebin\",\"driller_stackexchange\") and (RiskScore == 3 or RiskScore == 4 or RiskScore == 5)\n",
+                "query": "FireworkV2_CL\n| where notempty(uid) and RiskScore >= 3\n| extend index_name = split(uid, \"/\")[0]\n| where index_name in (\"bot\", \"stealer_log\")\n",
                 "queryFrequency": "PT1H",
                 "queryPeriod": "PT1H",
                 "severity": "Medium",
@@ -1843,10 +2044,10 @@
                   }
                 ],
                 "tactics": [
-                  "Reconnaissance"
+                  "CredentialAccess"
                 ],
                 "techniques": [
-                  "T1593"
+                  "T1555"
                 ]
               }
             },
@@ -1886,7 +2087,7 @@
         "contentSchemaVersion": "3.0.0",
         "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Flare Paste result",
+        "displayName": "Flare Infected Device Results",
         "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]",
         "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]",
         "version": "[variables('analyticRuleObject6').analyticRuleVersion6]"
@@ -1901,7 +2102,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "FlareSourceCode_AnalyticalRules Analytics Rule with template version 3.0.0",
+        "description": "FlareLookalikeDomain_AnalyticalRules Analytics Rule with template version 3.1.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@@ -1915,10 +2116,10 @@
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "Result found on Code Sharing platform",
-                "displayName": "Flare Source Code found",
+                "description": "Look-alike domains are a primary vector for phishing and brand impersonation. Flare provides automated monitoring to detect these domains when they are registered or issued an SSL certificate.",
+                "displayName": "Flare Lookalike Domain Results",
                 "enabled": false,
-                "query": "FireworkV2_CL\n| where tolower(source) contains \"driller_github\" and (RiskScore == 3 or RiskScore == 4 or RiskScore == 5)\n",
+                "query": "FireworkV2_CL\n| where notempty(uid) and RiskScore >= 3\n| extend index_name = split(uid, \"/\")[0]\n| where index_name == \"domain\"\n",
                 "queryFrequency": "PT1H",
                 "queryPeriod": "PT1H",
                 "severity": "Medium",
@@ -1979,7 +2180,7 @@
         "contentSchemaVersion": "3.0.0",
         "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Flare Source Code found",
+        "displayName": "Flare Lookalike Domain Results",
         "contentProductId": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]",
         "id": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]",
         "version": "[variables('analyticRuleObject7').analyticRuleVersion7]"
@@ -1994,7 +2195,7 @@
         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
       ],
       "properties": {
-        "description": "FlareSSLcert_AnalyticalRules Analytics Rule with template version 3.0.0",
+        "description": "FlareMarket_AnalyticalRules Analytics Rule with template version 3.1.0",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
           "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
@@ -2008,10 +2209,10 @@
               "kind": "Scheduled",
               "location": "[parameters('workspace-location')]",
               "properties": {
-                "description": "SSL Certificate registration found",
-                "displayName": "Flare SSL Certificate result",
+                "description": "The Marketplaces category includes underground markets and shops where illicit goods and services are bought and sold.",
+                "displayName": "Flare Marketplace Results",
                 "enabled": false,
-                "query": "FireworkV2_CL\n| where tolower(source) contains \"certstream\" and (RiskScore == 3 or RiskScore == 4 or RiskScore == 5)\n",
+                "query": "FireworkV2_CL\n| where notempty(uid) and RiskScore >= 3\n| extend index_name = split(uid, \"/\")[0]\n| where index_name == \"listing\"\n",
                 "queryFrequency": "PT1H",
                 "queryPeriod": "PT1H",
                 "severity": "Medium",
@@ -2029,10 +2230,10 @@
                   }
                 ],
                 "tactics": [
-                  "ResourceDevelopment"
+                  "Reconnaissance"
                 ],
                 "techniques": [
-                  "T1583"
+                  "T1593"
                 ]
               }
             },
@@ -2072,20 +2273,213 @@
         "contentSchemaVersion": "3.0.0",
         "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
         "contentKind": "AnalyticsRule",
-        "displayName": "Flare SSL Certificate result",
+        "displayName": "Flare Marketplace Results",
         "contentProductId": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]",
         "id": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]",
         "version": "[variables('analyticRuleObject8').analyticRuleVersion8]"
       }
     },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "FlarePaste_AnalyticalRules Analytics Rule with template version 3.1.0",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
+              "apiVersion": "2023-02-01-preview",
+              "kind": "Scheduled",
+              "location": "[parameters('workspace-location')]",
+              "properties": {
+                "description": "Result found on code Snippet (paste) sharing platform",
+                "displayName": "Flare Paste Results",
+                "enabled": false,
+                "query": "FireworkV2_CL\n| where notempty(uid) and RiskScore >= 3\n| extend index_name = split(uid, \"/\")[0]\n| where index_name == \"paste\"\n",
+                "queryFrequency": "PT1H",
+                "queryPeriod": "PT1H",
+                "severity": "Medium",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
+                  {
+                    "dataTypes": [
+                      "FireworkV2_CL"
+                    ],
+                    "connectorId": "Flare"
+                  }
+                ],
+                "tactics": [
+                  "Reconnaissance"
+                ],
+                "techniques": [
+                  "T1593"
+                ]
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]",
+              "properties": {
+                "description": "Flare Analytics Rule 9",
+                "parentId": "[variables('analyticRuleObject9').analyticRuleId9]",
+                "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleObject9').analyticRuleVersion9]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "Flare",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Flare",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "name": "Flare",
+                  "email": "support@flare.io",
+                  "tier": "Partner",
+                  "link": "https://flare.io/contact/"
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Flare Paste Results",
+        "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]",
+        "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]",
+        "version": "[variables('analyticRuleObject9').analyticRuleVersion9]"
+      }
+    },
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+      "apiVersion": "2023-04-01-preview",
+      "name": "[variables('analyticRuleObject10').analyticRuleTemplateSpecName10]",
+      "location": "[parameters('workspace-location')]",
+      "dependsOn": [
+        "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+      ],
+      "properties": {
+        "description": "FlareSourceCode_AnalyticalRules Analytics Rule with template version 3.1.0",
+        "mainTemplate": {
+          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+          "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]",
+          "parameters": {},
+          "variables": {},
+          "resources": [
+            {
+              "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+              "name": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
+              "apiVersion": "2023-02-01-preview",
+              "kind": "Scheduled",
+              "location": "[parameters('workspace-location')]",
+              "properties": {
+                "description": "Results found on code sharing platforms",
+                "displayName": "Flare Source Code Results",
+                "enabled": false,
+                "query": "FireworkV2_CL\n| where notempty(uid) and RiskScore >= 3\n| extend index_name = split(uid, \"/\")[0]\n| extend category_name = split(uid, \"/\")[1]\n| where index_name == \"driller\" and category_name contains \"github\"\n",
+                "queryFrequency": "PT1H",
+                "queryPeriod": "PT1H",
+                "severity": "Medium",
+                "suppressionDuration": "PT1H",
+                "suppressionEnabled": false,
+                "triggerOperator": "GreaterThan",
+                "triggerThreshold": 0,
+                "status": "Available",
+                "requiredDataConnectors": [
+                  {
+                    "dataTypes": [
+                      "FireworkV2_CL"
+                    ],
+                    "connectorId": "Flare"
+                  }
+                ],
+                "tactics": [
+                  "Reconnaissance"
+                ],
+                "techniques": [
+                  "T1593"
+                ]
+              }
+            },
+            {
+              "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+              "apiVersion": "2022-01-01-preview",
+              "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject10').analyticRuleId10,'/'))))]",
+              "properties": {
+                "description": "Flare Analytics Rule 10",
+                "parentId": "[variables('analyticRuleObject10').analyticRuleId10]",
+                "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
+                "kind": "AnalyticsRule",
+                "version": "[variables('analyticRuleObject10').analyticRuleVersion10]",
+                "source": {
+                  "kind": "Solution",
+                  "name": "Flare",
+                  "sourceId": "[variables('_solutionId')]"
+                },
+                "author": {
+                  "name": "Flare",
+                  "email": "[variables('_email')]"
+                },
+                "support": {
+                  "name": "Flare",
+                  "email": "support@flare.io",
+                  "tier": "Partner",
+                  "link": "https://flare.io/contact/"
+                }
+              }
+            }
+          ]
+        },
+        "packageKind": "Solution",
+        "packageVersion": "[variables('_solutionVersion')]",
+        "packageName": "[variables('_solutionName')]",
+        "packageId": "[variables('_solutionId')]",
+        "contentSchemaVersion": "3.0.0",
+        "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
+        "contentKind": "AnalyticsRule",
+        "displayName": "Flare Source Code Results",
+        "contentProductId": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]",
+        "id": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]",
+        "version": "[variables('analyticRuleObject10').analyticRuleVersion10]"
+      }
+    },
     {
       "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
       "apiVersion": "2023-04-01-preview",
       "location": "[parameters('workspace-location')]",
       "properties": {
-        "version": "2.1.1",
+        "version": "3.1.0",
         "kind": "Solution",
         "contentSchemaVersion": "3.0.0",
+        "displayName": "Flare",
+        "publisherDisplayName": "Flare",
+        "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Flare/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>The Flare Systems <a href=\"https://flare.io/platform/\">Firework</a> solution allows you to receive data and intelligence from Firework on Microsoft Sentinel.</p>\n<p><strong>Underlying Microsoft Technologies used:</strong></p>\n<p>This solution takes a dependency on the following technologies, and some of these dependencies either may be in <a href=\"https://azure.microsoft.com/support/legal/preview-supplemental-terms/\">Preview</a> state or might result in additional ingestion or operational costs.</p>\n<p>a .<a href=\"https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api\">Azure Monitor HTTP Data Collector API </a></p>\n<p><strong>Data Connectors:</strong> 1, <strong>Workbooks:</strong> 1, <strong>Analytic Rules:</strong> 10, <strong>Playbooks:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
+        "contentKind": "Solution",
+        "contentProductId": "[variables('_solutioncontentProductId')]",
+        "id": "[variables('_solutioncontentProductId')]",
+        "icon": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Flare.svg\"width=\"75px\"height=\"75px\">",
         "contentId": "[variables('_solutionId')]",
         "parentId": "[variables('_solutionId')]",
         "source": {
@@ -2160,6 +2554,16 @@
               "kind": "AnalyticsRule",
               "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
               "version": "[variables('analyticRuleObject8').analyticRuleVersion8]"
+            },
+            {
+              "kind": "AnalyticsRule",
+              "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
+              "version": "[variables('analyticRuleObject9').analyticRuleVersion9]"
+            },
+            {
+              "kind": "AnalyticsRule",
+              "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]",
+              "version": "[variables('analyticRuleObject10').analyticRuleVersion10]"
             }
           ]
         },
diff --git a/Solutions/Flare/Playbooks/credential-warning/azuredeploy.json b/Solutions/Flare/Playbooks/credential-warning/azuredeploy.json
index 7da762ea091..bde945de674 100644
--- a/Solutions/Flare/Playbooks/credential-warning/azuredeploy.json
+++ b/Solutions/Flare/Playbooks/credential-warning/azuredeploy.json
@@ -3,7 +3,7 @@
     "contentVersion": "1.0.0.0",
     "metadata": {
         "title": "credential-warning",
-        "description": "This playbook monitors all data received from Firework looking for leaked credentials (email:password combinations). When found, this playbook will send an email to the email address warning their password has been leaked, recommending appropriate measures if necessary. To learn more about how to connect Firework to Microsoft Sentinel, see the [API documentation](https://docs.flared.io/azure-sentinel-integration).",
+        "description": "**This playbook is deprecated and will be replaced in a future update. Functionality may be limited or unavailable.**\nThis playbook monitors all data received from Firework looking for leaked credentials (email:password combinations). When found, this playbook will send an email to the email address warning their password has been leaked, recommending appropriate measures if necessary. To learn more about how to connect Firework to Microsoft Sentinel, see the [official documentation](https://docs.flare.io/sentinel-integration).",
         "prerequisites": [],
         "lastUpdateTime": "2022-07-31T00:00:00.000Z",
         "entities": [],
@@ -316,4 +316,4 @@
             }
         }
     ]
-}
\ No newline at end of file
+}
diff --git a/Solutions/Flare/ReleaseNotes.md b/Solutions/Flare/ReleaseNotes.md
index 15ea86dc510..c51428ceac3 100644
--- a/Solutions/Flare/ReleaseNotes.md
+++ b/Solutions/Flare/ReleaseNotes.md
@@ -5,7 +5,9 @@ Earlier versions did not have published release notes.
 
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                                        |
 | ----------- | ------------------------------ | ------------------------------------------------------------------------- |
-| 3.0.0       | 15-12-2024                     | New CFF connector that replaces deprecated Rest API connector.            |
+| 3.1.0       | 21-04-2026                     | Updated Analytic Rules and Workbooks queries to be more accurate                                                     |
+|             |                                | Added three new Analytic Rules and removed one                                                    |
+| 3.0.0       | 15-12-2025                     | New CFF connector that replaces deprecated Rest API connector.            |
 |             |                                | New Polling config for CFF connector.                                      |
 |             |                                | New DCR config for CFF connector.                                         |
 |             |                                | Added Table definition for FireworkV2_CL.                                   |
diff --git a/Solutions/Flare/Workbooks/FlareSystemsFireworkOverview.json b/Solutions/Flare/Workbooks/FlareSystemsFireworkOverview.json
index 099bc1c856b..1ec66bf9e5a 100644
--- a/Solutions/Flare/Workbooks/FlareSystemsFireworkOverview.json
+++ b/Solutions/Flare/Workbooks/FlareSystemsFireworkOverview.json
@@ -4,7 +4,7 @@
 	  {
 		"type": 1,
 		"content": {
-		  "json": "# Firework Logs by risk score\n---\n\nThese are all your logs that came from Firework in the past 30 days, where each line represents a specific risk score"
+		  "json": "# Firework Logs by Risk Score\n---\n\nDisplays Flare events from the past 30 days, broken down by risk score level."
 		},
 		"name": "text - 2"
 	  },
@@ -12,7 +12,7 @@
 		"type": 3,
 		"content": {
 		  "version": "KqlItem/1.0",
-		  "query": "FireworkV2_CL\n| make-series num=count() on timestamp_t from ago(30d) to now() step 8h by strcat(\"Risk Score \", tostring(toint(risk_score_d)))\n| render timechart ",
+		  "query": "FireworkV2_CL\n| make-series num=count() on TimeGenerated from ago(30d) to now() step 8h by strcat(\"Risk Score \", tostring(RiskScore))\n| render timechart",
 		  "size": 0,
 		  "queryType": 0,
 		  "resourceType": "microsoft.operationalinsights/workspaces",
@@ -42,7 +42,7 @@
 	  {
 		"type": 1,
 		"content": {
-		  "json": "# Sources of all documents collected\n\nData per day for the last 30 days"
+		  "json": "# Collected Document Sources\n\nDisplays a daily bar chart of events over the last 30 days, broken down by source."
 		},
 		"name": "text - 3"
 	  },
@@ -50,7 +50,7 @@
 		"type": 3,
 		"content": {
 		  "version": "KqlItem/1.0",
-		  "query": "FireworkV2_CL\n| make-series num=count() on timestamp_t from ago(30d) to now() step 1d by source_name_s\n| where isnotempty(source_name_s)\n| render barchart ",
+		  "query": "FireworkV2_CL\n| make-series num=count() on TimeGenerated from ago(30d) to now() step 1d by source\n| where isnotempty(source)\n| render barchart ",
 		  "size": 0,
 		  "queryType": 0,
 		  "resourceType": "microsoft.operationalinsights/workspaces"
@@ -61,7 +61,7 @@
 		"type": 3,
 		"content": {
 		  "version": "KqlItem/1.0",
-		  "query": "FireworkV2_CL\n| where timestamp_t >= ago(30d)\n| summarize num=count() by source_name_s\n| where notempty(source_name_s)\n| render piechart ",
+		  "query": "FireworkV2_CL\n| where TimeGenerated >= ago(30d)\n| summarize num=count() by source\n| where notempty(source)\n| render piechart",
 		  "size": 2,
 		  "queryType": 0,
 		  "resourceType": "microsoft.operationalinsights/workspaces"
@@ -71,7 +71,7 @@
 	  {
 		"type": 1,
 		"content": {
-		  "json": "# Total Leaked Credentials received"
+		  "json": "# Leaked Credential Events\n---\n\nDisplays a time chart of leaked credential events over the last 30 days, plotted every 8 hours."
 		},
 		"name": "text - 5"
 	  },
@@ -79,7 +79,7 @@
 		"type": 3,
 		"content": {
 		  "version": "KqlItem/1.0",
-		  "query": "FireworkV2_CL\n| where notempty(column_ifexists('data_new_leaks_s', ''))\n| make-series Total_Leaked_Credentials=count() on timestamp_t from ago(30d) to now() step 8h \n| render timechart",
+		  "query": "FireworkV2_CL\n| where notempty(uid) and substring(uid, 0, indexof(uid, \"/\")) == \"leaked_credential\" \n| make-series Total_Leaked_Credentials=count() on TimeGenerated from ago(30d) to now() step 8h \n| render timechart",
 		  "size": 0,
 		  "queryType": 0,
 		  "resourceType": "microsoft.operationalinsights/workspaces",