Flare Cloud bucket result

Back


Id	9cb7c337-f172-4af6-b0e8-b6b7552d762d
Rulename	Flare Cloud bucket result
Description	Results found on an publicly available cloud bucket
Severity	Medium
Tactics	Reconnaissance
Techniques	T1593
Required data connectors	Flare
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Flare/Analytic Rules/FlareCloudBucket.yaml
Version	2.0.0
Arm template	9cb7c337-f172-4af6-b0e8-b6b7552d762d.json

KQL

FireworkV2_CL
| where tolower(source) contains "grayhat_warfare" and (RiskScore == 3 or RiskScore == 4 or RiskScore == 5)

YAML

severity: Medium
queryPeriod: 1h
name: Flare Cloud bucket result
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Flare/Analytic Rules/FlareCloudBucket.yaml
version: 2.0.0
relevantTechniques:
- T1593
status: Available
id: 9cb7c337-f172-4af6-b0e8-b6b7552d762d
queryFrequency: 1h
triggerThreshold: 0
triggerOperator: gt
query: |
  FireworkV2_CL
  | where tolower(source) contains "grayhat_warfare" and (RiskScore == 3 or RiskScore == 4 or RiskScore == 5)  
description: |
    'Results found on an publicly available cloud bucket'
requiredDataConnectors:
- connectorId: Flare
  dataTypes:
  - FireworkV2_CL
tactics:
- Reconnaissance
kind: Scheduled

ARM