Flare Infected Device

Back


Id	9cb7c337-f176-4af6-b0e8-b6b7552d762d
Rulename	Flare Infected Device
Description	Infected Device found on darkweb or Telegram
Severity	Medium
Tactics	CredentialAccess
Techniques	T1555
Required data connectors	Flare
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml
Version	1.0.1
Arm template	9cb7c337-f176-4af6-b0e8-b6b7552d762d.json

KQL

Firework_CL
| where category_name_s contains "Infected Device" or source_s=="genesis_market" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")

YAML

relevantTechniques:
- T1555
name: Flare Infected Device
requiredDataConnectors:
- dataTypes:
  - Firework_CL
  connectorId: Flare
triggerThreshold: 0
id: 9cb7c337-f176-4af6-b0e8-b6b7552d762d
tactics:
- CredentialAccess
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml
queryPeriod: 1h
kind: Scheduled
queryFrequency: 1h
severity: Medium
status: Available
description: |
    'Infected Device found on darkweb or Telegram'
query: |
  Firework_CL
  | where category_name_s contains "Infected Device" or source_s=="genesis_market" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")  
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9cb7c337-f176-4af6-b0e8-b6b7552d762d')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9cb7c337-f176-4af6-b0e8-b6b7552d762d')]",
      "properties": {
        "alertRuleTemplateName": "9cb7c337-f176-4af6-b0e8-b6b7552d762d",
        "customDetails": null,
        "description": "'Infected Device found on darkweb or Telegram'\n",
        "displayName": "Flare Infected Device",
        "enabled": true,
        "entityMappings": null,
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml",
        "query": "Firework_CL\n| where category_name_s contains \"Infected Device\" or source_s==\"genesis_market\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1555"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}