Flare infected device results

Back


Id	9cb7c337-f176-4af6-b0e8-b6b7552d762d
Rulename	Flare infected device results
Description	This query searches for infected device events on Darkweb or Telegram.
Severity	Medium
Tactics	CredentialAccess
Techniques	T1555
Required data connectors	Flare
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml
Version	3.0.0
Arm template	9cb7c337-f176-4af6-b0e8-b6b7552d762d.json

KQL

FireworkV2_CL
| where notempty(uid) and RiskScore >= 3
| extend index_name = split(uid, "/")[0]
| where index_name in ("bot", "stealer_log")

YAML

status: Available
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
query: |
  FireworkV2_CL
  | where notempty(uid) and RiskScore >= 3
  | extend index_name = split(uid, "/")[0]
  | where index_name in ("bot", "stealer_log")  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml
tactics:
- CredentialAccess
triggerThreshold: 0
requiredDataConnectors:
- connectorId: Flare
  dataTypes:
  - FireworkV2_CL
kind: Scheduled
relevantTechniques:
- T1555
description: |
    'This query searches for infected device events on Darkweb or Telegram.'
name: Flare infected device results
version: 3.0.0
id: 9cb7c337-f176-4af6-b0e8-b6b7552d762d
severity: Medium

ARM