Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Flare chat results

Flare chat results

Back
Id76210211-3ade-47b6-b7f2-c871cd05ec43
RulenameFlare chat results
DescriptionThis query searches for conversations and posts from real-time messaging environments used by threat actors and fraud communities.
SeverityMedium
TacticsReconnaissance
TechniquesT1593
Required data connectorsFlare
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Flare/Analytic Rules/FlareChat.yaml
Version1.0.0
Arm template76210211-3ade-47b6-b7f2-c871cd05ec43.json
Deploy To Azure
FireworkV2_CL
| where notempty(uid) and RiskScore >= 3
| extend index_name = split(uid, "/")[0]
| where index_name == "chat_message"

relevantTechniques:
- T1593
version: 1.0.0
id: 76210211-3ade-47b6-b7f2-c871cd05ec43
severity: Medium
kind: Scheduled
queryFrequency: 1h
description: |
    'This query searches for conversations and posts from real-time messaging environments used by threat actors and fraud communities.'
requiredDataConnectors:
- connectorId: Flare
  dataTypes:
  - FireworkV2_CL
triggerOperator: gt
name: Flare chat results
tactics:
- Reconnaissance
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Flare/Analytic Rules/FlareChat.yaml
triggerThreshold: 0
queryPeriod: 1h
query: |
  FireworkV2_CL
  | where notempty(uid) and RiskScore >= 3
  | extend index_name = split(uid, "/")[0]
  | where index_name == "chat_message"  
status: Available