Flare Cloud bucket result

Back


Id	9cb7c337-f172-4af6-b0e8-b6b7552d762d
Rulename	Flare Cloud bucket result
Description	Results found on an publicly available cloud bucket
Severity	Medium
Tactics	Reconnaissance
Techniques	T1593
Required data connectors	Flare
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Flare/Analytic Rules/FlareCloudBucket.yaml
Version	2.0.0
Arm template	9cb7c337-f172-4af6-b0e8-b6b7552d762d.json

KQL

FireworkV2_CL
| where tolower(source) contains "grayhat_warfare" and (RiskScore == 3 or RiskScore == 4 or RiskScore == 5)

YAML

name: Flare Cloud bucket result
relevantTechniques:
- T1593
id: 9cb7c337-f172-4af6-b0e8-b6b7552d762d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Flare/Analytic Rules/FlareCloudBucket.yaml
requiredDataConnectors:
- dataTypes:
  - FireworkV2_CL
  connectorId: Flare
version: 2.0.0
severity: Medium
triggerThreshold: 0
queryPeriod: 1h
queryFrequency: 1h
status: Available
query: |
  FireworkV2_CL
  | where tolower(source) contains "grayhat_warfare" and (RiskScore == 3 or RiskScore == 4 or RiskScore == 5)  
tactics:
- Reconnaissance
kind: Scheduled
description: |
    'Results found on an publicly available cloud bucket'
triggerOperator: gt

ARM