Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Flare lookalike domain results

Flare lookalike domain results

Back
Id8e5ae0d6-7f2d-475e-ada3-ed33441deeba
RulenameFlare lookalike domain results
DescriptionThis query searches for lookalike domains and SSL certificate registrations.
SeverityMedium
TacticsReconnaissance
TechniquesT1593
Required data connectorsFlare
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Flare/Analytic Rules/FlareLookalikeDomain.yaml
Version1.0.0
Arm template8e5ae0d6-7f2d-475e-ada3-ed33441deeba.json
Deploy To Azure
FireworkV2_CL
| where notempty(uid) and RiskScore >= 3
| extend index_name = split(uid, "/")[0]
| where index_name == "domain"

relevantTechniques:
- T1593
version: 1.0.0
id: 8e5ae0d6-7f2d-475e-ada3-ed33441deeba
severity: Medium
kind: Scheduled
queryFrequency: 1h
description: |
    'This query searches for lookalike domains and SSL certificate registrations.'
requiredDataConnectors:
- connectorId: Flare
  dataTypes:
  - FireworkV2_CL
triggerOperator: gt
name: Flare lookalike domain results
tactics:
- Reconnaissance
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Flare/Analytic Rules/FlareLookalikeDomain.yaml
triggerThreshold: 0
queryPeriod: 1h
query: |
  FireworkV2_CL
  | where notempty(uid) and RiskScore >= 3
  | extend index_name = split(uid, "/")[0]
  | where index_name == "domain"  
status: Available