Flare Host result

Back


Id	9cb7c337-f175-4af6-b0e8-b6b7552d762d
Rulename	Flare Host result
Description	Results found relating to IP, domain or host
Severity	Medium
Tactics	Reconnaissance
Techniques	T1596
Required data connectors	Flare
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Flare/Analytic Rules/FlareHost.yaml
Version	2.0.0
Arm template	9cb7c337-f175-4af6-b0e8-b6b7552d762d.json

KQL

FireworkV2_CL
| where source contains "driller_shodan" and (RiskScore == 3 or RiskScore == 4 or RiskScore == 5)

YAML

description: |
    'Results found relating to IP, domain or host'
kind: Scheduled
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Flare/Analytic Rules/FlareHost.yaml
status: Available
triggerOperator: gt
severity: Medium
relevantTechniques:
- T1596
triggerThreshold: 0
name: Flare Host result
requiredDataConnectors:
- connectorId: Flare
  dataTypes:
  - FireworkV2_CL
id: 9cb7c337-f175-4af6-b0e8-b6b7552d762d
queryPeriod: 1h
tactics:
- Reconnaissance
version: 2.0.0
query: |
  FireworkV2_CL
  | where source contains "driller_shodan" and (RiskScore == 3 or RiskScore == 4 or RiskScore == 5)

ARM