Flare infected device results

Back


Id	9cb7c337-f176-4af6-b0e8-b6b7552d762d
Rulename	Flare infected device results
Description	This query searches for infected device events on Darkweb or Telegram.
Severity	Medium
Tactics	CredentialAccess
Techniques	T1555
Required data connectors	Flare
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml
Version	3.0.0
Arm template	9cb7c337-f176-4af6-b0e8-b6b7552d762d.json

KQL

FireworkV2_CL
| where notempty(uid) and RiskScore >= 3
| extend index_name = split(uid, "/")[0]
| where index_name in ("bot", "stealer_log")

YAML

tactics:
- CredentialAccess
requiredDataConnectors:
- dataTypes:
  - FireworkV2_CL
  connectorId: Flare
id: 9cb7c337-f176-4af6-b0e8-b6b7552d762d
severity: Medium
status: Available
query: |
  FireworkV2_CL
  | where notempty(uid) and RiskScore >= 3
  | extend index_name = split(uid, "/")[0]
  | where index_name in ("bot", "stealer_log")  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml
kind: Scheduled
queryPeriod: 1h
version: 3.0.0
name: Flare infected device results
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1555
description: |
    'This query searches for infected device events on Darkweb or Telegram.'
triggerOperator: gt

ARM