Flare Solution 3.1.0

Solutions/Flare/Analytic Rules/FlareChat.yaml

@@ -0,0 +1,25 @@
+id: 76210211-3ade-47b6-b7f2-c871cd05ec43
+name: Flare Chat Results
+description: |
+    'The Chat category includes conversations and posts from real-time messaging environments used by threat actors and fraud communities.'
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: Flare
+    dataTypes:
+      - FireworkV2_CL
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Reconnaissance
+relevantTechniques:
+  - T1593
+query: |
+  FireworkV2_CL
+  | where notempty(uid) and RiskScore >= 3
+  | extend index_name = split(uid, "/")[0]
+  | where index_name == "chat_message"
+version: 1.0.0
+kind: Scheduled

Solutions/Flare/Analytic Rules/FlareCloudBucket.yaml

@@ -1,5 +1,5 @@
 id: 9cb7c337-f172-4af6-b0e8-b6b7552d762d
-name: Flare Cloud bucket result
+name: Flare Cloud Bucket Results
 description: |
     'Results found on an publicly available cloud bucket'
 severity: Medium
@@ -18,6 +18,8 @@ relevantTechniques:
   - T1593
 query: |
   FireworkV2_CL
-  | where source_s contains "Grayhat_warfare" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 2.0.0
+  | where notempty(uid) and RiskScore >= 3
+  | extend index_name = split(uid, "/")[0]
+  | where index_name == "driller_bucket_object" or index_name == "bucket"
+version: 3.0.0
 kind: Scheduled

Solutions/Flare/Analytic Rules/FlareCredentialLeaks.yaml

@@ -1,7 +1,7 @@
 id: 9cb7c337-f170-4af6-b0e8-b6b7552d762d
-name: Flare Leaked Credentials
+name: Flare Leaked Credentials Results
 description: |
-    'Searches for Flare Leaked Credentials'
+    'Leaked credentials results'
 severity: Medium
 status: Available
 requiredDataConnectors:
@@ -18,6 +18,8 @@ relevantTechniques:
   - T1110
 query: |
   FireworkV2_CL
-  | where notempty(data_new_leaks_s) and source_s != 'stealer_logs_samples'
-version: 2.0.0
+  | where notempty(uid) and RiskScore >= 3
+  | extend index_name = split(uid, "/")[0]
+  | where index_name == "leaked_credential"
+version: 3.0.0
 kind: Scheduled

Solutions/Flare/Analytic Rules/FlareDork.yaml

@@ -1,7 +1,7 @@
 id: 9cb7c337-f174-4af6-b0e8-b6b7552d762d
-name: Flare Google Dork result found
+name: Flare Google Dork Results
 description: |
-    'Results using a dork on google was found'
+    'Results using a Dork on Google was found'
 severity: Medium
 status: Available
 requiredDataConnectors:
@@ -18,6 +18,9 @@ relevantTechniques:
   - T1593
 query: |
   FireworkV2_CL
-  | where source_s contains "google_search" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 2.0.0
+  | where notempty(uid) and RiskScore >= 3
+  | extend index_name = split(uid, "/")[0]
+  | extend category_name = split(uid, "/")[1]
+  | where (index_name == "driller_google") or (index_name == "driller" and category_name contains "google")
+version: 3.0.0
 kind: Scheduled

Solutions/Flare/Analytic Rules/FlareHost.yaml

@@ -1,5 +1,5 @@
 id: 9cb7c337-f175-4af6-b0e8-b6b7552d762d
-name: Flare Host result
+name: Flare Host Results
 description: |
     'Results found relating to IP, domain or host'
 severity: Medium
@@ -18,6 +18,8 @@ relevantTechniques:
   - T1596
 query: |
   FireworkV2_CL
-  | where source_s contains "driller_shodan" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 2.0.0
+  | where notempty(uid) and RiskScore >= 3
+  | extend index_name = split(uid, "/")[0]
+  | where index_name == "service"
+version: 3.0.0
 kind: Scheduled

Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml

@@ -1,7 +1,7 @@
 id: 9cb7c337-f176-4af6-b0e8-b6b7552d762d
-name: Flare Infected Device
+name: Flare Infected Device Results
 description: |
-    'Infected Device found on darkweb or Telegram'
+    'Infected Device Results on Darkweb or Telegram'
 severity: Medium
 status: Available
 requiredDataConnectors:
@@ -18,6 +18,8 @@ relevantTechniques:
   - T1555
 query: |
   FireworkV2_CL
-  | where category_name_s contains "Infected Device" or source_s=="genesis_market" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 2.0.0
+  | where notempty(uid) and RiskScore >= 3
+  | extend index_name = split(uid, "/")[0]
+  | where index_name in ("bot", "stealer_log")
+version: 3.0.0
 kind: Scheduled

Solutions/Flare/Analytic Rules/FlareLookalikeDomain.yaml

@@ -0,0 +1,25 @@
+id: 8e5ae0d6-7f2d-475e-ada3-ed33441deeba
+name: Flare Lookalike Domain Results
+description: |
+    'Look-alike domains are a primary vector for phishing and brand impersonation. Flare provides automated monitoring to detect these domains when they are registered or issued an SSL certificate.'
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: Flare
+    dataTypes:
+      - FireworkV2_CL
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Reconnaissance
+relevantTechniques:
+  - T1593
+query: |
+  FireworkV2_CL
+  | where notempty(uid) and RiskScore >= 3
+  | extend index_name = split(uid, "/")[0]
+  | where index_name == "domain"
+version: 1.0.0
+kind: Scheduled

Solutions/Flare/Analytic Rules/FlareMarket.yaml

@@ -0,0 +1,25 @@
+id: 9265ae4d-6bb0-4c18-961d-f7aae67d1546
+name: Flare Marketplace Results
+description: |
+    'The Marketplaces category includes underground markets and shops where illicit goods and services are bought and sold.'
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: Flare
+    dataTypes:
+      - FireworkV2_CL
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Reconnaissance
+relevantTechniques:
+  - T1593
+query: |
+  FireworkV2_CL
+  | where notempty(uid) and RiskScore >= 3
+  | extend index_name = split(uid, "/")[0]
+  | where index_name == "listing"
+version: 1.0.0
+kind: Scheduled

Solutions/Flare/Analytic Rules/FlarePaste.yaml

@@ -1,5 +1,5 @@
 id: 9cb7c337-f177-4af6-b0e8-b6b7552d762d
-name: Flare Paste result
+name: Flare Paste Results
 description: |
     'Result found on code Snippet (paste) sharing platform'
 severity: Medium
@@ -18,6 +18,8 @@ relevantTechniques:
   - T1593
 query: |
   FireworkV2_CL
-  | where source_s in ("gist_github","Pastebin","driller_stackexchange") and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 2.0.0
+  | where notempty(uid) and RiskScore >= 3
+  | extend index_name = split(uid, "/")[0]
+  | where index_name == "paste"
+version: 3.0.0
 kind: Scheduled

Solutions/Flare/Analytic Rules/FlareSourceCode.yaml

@@ -1,7 +1,7 @@
 id: 9cb7c337-f178-4af6-b0e8-b6b7552d762d
-name: Flare Source Code found
+name: Flare Source Code Results
 description: |
-    'Result found on Code Sharing platform'
+    'Results found on code sharing platforms'
 severity: Medium
 status: Available
 requiredDataConnectors:
@@ -18,6 +18,9 @@ relevantTechniques:
   - T1593
 query: |
   FireworkV2_CL
-  | where source_s contains "driller_github" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 2.0.0
+  | where notempty(uid) and RiskScore >= 3
+  | extend index_name = split(uid, "/")[0]
+  | extend category_name = split(uid, "/")[1]
+  | where index_name == "driller" and category_name contains "github"
+version: 3.0.0
 kind: Scheduled

Solutions/Flare/Data/Solution_FlareSystemsFirework.json

@@ -13,17 +13,19 @@
     "Playbooks/credential-warning/azuredeploy.json"
   ],
   "Analytic Rules": [
+    "Analytic Rules/FlareChat.yaml",
     "Analytic Rules/FlareCloudBucket.yaml",
     "Analytic Rules/FlareCredentialLeaks.yaml",
     "Analytic Rules/FlareDork.yaml",
     "Analytic Rules/FlareHost.yaml",
     "Analytic Rules/FlareInfectedDevice.yaml",
+    "Analytic Rules/FlareLookalikeDomain.yaml",
+    "Analytic Rules/FlareMarket.yaml",
     "Analytic Rules/FlarePaste.yaml",
-    "Analytic Rules/FlareSourceCode.yaml",
-    "Analytic Rules/FlareSSLcert.yaml"
+    "Analytic Rules/FlareSourceCode.yaml"
   ],
   "BasePath": "C:\\GitHub\\azure-sentinel\\Solutions\\Flare",
-  "Version": "3.0.0",
+  "Version": "3.1.0",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": false,
   "Is1PConnector": false