Flare Infected Device

Back


Id	9cb7c337-f176-4af6-b0e8-b6b7552d762d
Rulename	Flare Infected Device
Description	Infected Device found on darkweb or Telegram
Severity	Medium
Tactics	CredentialAccess
Techniques	T1555
Required data connectors	Flare
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml
Version	1.0.1
Arm template	9cb7c337-f176-4af6-b0e8-b6b7552d762d.json

KQL

Firework_CL
| where category_name_s contains "Infected Device" or source_s=="genesis_market" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")

YAML

kind: Scheduled
severity: Medium
name: Flare Infected Device
relevantTechniques:
- T1555
triggerOperator: gt
tactics:
- CredentialAccess
query: |
  Firework_CL
  | where category_name_s contains "Infected Device" or source_s=="genesis_market" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")  
triggerThreshold: 0
status: Available
description: |
    'Infected Device found on darkweb or Telegram'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml
queryFrequency: 1h
queryPeriod: 1h
id: 9cb7c337-f176-4af6-b0e8-b6b7552d762d
requiredDataConnectors:
- connectorId: Flare
  dataTypes:
  - Firework_CL
version: 1.0.1

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9cb7c337-f176-4af6-b0e8-b6b7552d762d')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9cb7c337-f176-4af6-b0e8-b6b7552d762d')]",
      "properties": {
        "alertRuleTemplateName": "9cb7c337-f176-4af6-b0e8-b6b7552d762d",
        "customDetails": null,
        "description": "'Infected Device found on darkweb or Telegram'\n",
        "displayName": "Flare Infected Device",
        "enabled": true,
        "entityMappings": null,
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml",
        "query": "Firework_CL\n| where category_name_s contains \"Infected Device\" or source_s==\"genesis_market\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1555"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}