Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Flare infected device results

Flare infected device results

Back
Id9cb7c337-f176-4af6-b0e8-b6b7552d762d
RulenameFlare infected device results
DescriptionThis query searches for infected device events on Darkweb or Telegram.
SeverityMedium
TacticsCredentialAccess
TechniquesT1555
Required data connectorsFlare
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml
Version3.0.0
Arm template9cb7c337-f176-4af6-b0e8-b6b7552d762d.json
Deploy To Azure
FireworkV2_CL
| where notempty(uid) and RiskScore >= 3
| extend index_name = split(uid, "/")[0]
| where index_name in ("bot", "stealer_log")

relevantTechniques:
- T1555
version: 3.0.0
id: 9cb7c337-f176-4af6-b0e8-b6b7552d762d
severity: Medium
kind: Scheduled
queryFrequency: 1h
description: |
    'This query searches for infected device events on Darkweb or Telegram.'
requiredDataConnectors:
- connectorId: Flare
  dataTypes:
  - FireworkV2_CL
triggerOperator: gt
name: Flare infected device results
tactics:
- CredentialAccess
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml
triggerThreshold: 0
queryPeriod: 1h
query: |
  FireworkV2_CL
  | where notempty(uid) and RiskScore >= 3
  | extend index_name = split(uid, "/")[0]
  | where index_name in ("bot", "stealer_log")  
status: Available