Flare marketplace results

Back


Id	9265ae4d-6bb0-4c18-961d-f7aae67d1546
Rulename	Flare marketplace results
Description	This query searches for underground markets and shops where illicit goods and services are bought and sold.
Severity	Medium
Tactics	Reconnaissance
Techniques	T1593
Required data connectors	Flare
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Flare/Analytic Rules/FlareMarket.yaml
Version	1.0.0
Arm template	9265ae4d-6bb0-4c18-961d-f7aae67d1546.json

KQL

FireworkV2_CL
| where notempty(uid) and RiskScore >= 3
| extend index_name = split(uid, "/")[0]
| where index_name == "listing"

YAML

relevantTechniques:
- T1593
version: 1.0.0
id: 9265ae4d-6bb0-4c18-961d-f7aae67d1546
severity: Medium
kind: Scheduled
queryFrequency: 1h
description: |
    'This query searches for underground markets and shops where illicit goods and services are bought and sold.'
requiredDataConnectors:
- connectorId: Flare
  dataTypes:
  - FireworkV2_CL
triggerOperator: gt
name: Flare marketplace results
tactics:
- Reconnaissance
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Flare/Analytic Rules/FlareMarket.yaml
triggerThreshold: 0
queryPeriod: 1h
query: |
  FireworkV2_CL
  | where notempty(uid) and RiskScore >= 3
  | extend index_name = split(uid, "/")[0]
  | where index_name == "listing"  
status: Available

ARM