diff --git a/Solutions/Flare/Analytic Rules/FlareCloudBucket.yaml b/Solutions/Flare/Analytic Rules/FlareCloudBucket.yaml
index 01bd158a27b..5d3ef97d353 100644
--- a/Solutions/Flare/Analytic Rules/FlareCloudBucket.yaml
+++ b/Solutions/Flare/Analytic Rules/FlareCloudBucket.yaml
@@ -7,7 +7,7 @@ status: Available
requiredDataConnectors:
- connectorId: Flare
dataTypes:
- - Firework_CL
+ - FireworkV2_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@@ -17,7 +17,7 @@ tactics:
relevantTechniques:
- T1593
query: |
- Firework_CL
+ FireworkV2_CL
| where source_s contains "Grayhat_warfare" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 1.0.1
-kind: Scheduled
\ No newline at end of file
+version: 2.0.0
+kind: Scheduled
diff --git a/Solutions/Flare/Analytic Rules/FlareCredentialLeaks.yaml b/Solutions/Flare/Analytic Rules/FlareCredentialLeaks.yaml
index 4f50f737d69..37c2309f558 100644
--- a/Solutions/Flare/Analytic Rules/FlareCredentialLeaks.yaml
+++ b/Solutions/Flare/Analytic Rules/FlareCredentialLeaks.yaml
@@ -7,7 +7,7 @@ status: Available
requiredDataConnectors:
- connectorId: Flare
dataTypes:
- - Firework_CL
+ - FireworkV2_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@@ -17,7 +17,7 @@ tactics:
relevantTechniques:
- T1110
query: |
- Firework_CL
+ FireworkV2_CL
| where notempty(data_new_leaks_s) and source_s != 'stealer_logs_samples'
-version: 1.0.2
-kind: Scheduled
\ No newline at end of file
+version: 2.0.0
+kind: Scheduled
diff --git a/Solutions/Flare/Analytic Rules/FlareDarkweb.yaml b/Solutions/Flare/Analytic Rules/FlareDarkweb.yaml
deleted file mode 100644
index 39128e15e0c..00000000000
--- a/Solutions/Flare/Analytic Rules/FlareDarkweb.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-id: 9cb7c337-f173-4af6-b0e8-b6b7552d762d
-name: Flare Darkweb result
-description: |
- 'Result found on a darkweb platform'
-severity: Medium
-status: Available
-requiredDataConnectors:
- - connectorId: Flare
- dataTypes:
- - Firework_CL
-queryFrequency: 1h
-queryPeriod: 1h
-triggerOperator: gt
-triggerThreshold: 0
-tactics:
- - Reconnaissance
-relevantTechniques:
- - T1597
-query: |
- Firework_CL
- | where risk_reasons_s contains "CYBERCRIME_SOURCE" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 1.0.1
-kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Flare/Analytic Rules/FlareDork.yaml b/Solutions/Flare/Analytic Rules/FlareDork.yaml
index 43a16a7f97f..8420d20e8ac 100644
--- a/Solutions/Flare/Analytic Rules/FlareDork.yaml
+++ b/Solutions/Flare/Analytic Rules/FlareDork.yaml
@@ -7,7 +7,7 @@ status: Available
requiredDataConnectors:
- connectorId: Flare
dataTypes:
- - Firework_CL
+ - FireworkV2_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@@ -17,7 +17,7 @@ tactics:
relevantTechniques:
- T1593
query: |
- Firework_CL
+ FireworkV2_CL
| where source_s contains "google_search" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 1.0.1
-kind: Scheduled
\ No newline at end of file
+version: 2.0.0
+kind: Scheduled
diff --git a/Solutions/Flare/Analytic Rules/FlareHost.yaml b/Solutions/Flare/Analytic Rules/FlareHost.yaml
index 69c5b24fd50..59f06789315 100644
--- a/Solutions/Flare/Analytic Rules/FlareHost.yaml
+++ b/Solutions/Flare/Analytic Rules/FlareHost.yaml
@@ -7,7 +7,7 @@ status: Available
requiredDataConnectors:
- connectorId: Flare
dataTypes:
- - Firework_CL
+ - FireworkV2_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@@ -17,7 +17,7 @@ tactics:
relevantTechniques:
- T1596
query: |
- Firework_CL
+ FireworkV2_CL
| where source_s contains "driller_shodan" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 1.0.1
-kind: Scheduled
\ No newline at end of file
+version: 2.0.0
+kind: Scheduled
diff --git a/Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml b/Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml
index 3d5cc7c7709..d19c0371c46 100644
--- a/Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml
+++ b/Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml
@@ -7,7 +7,7 @@ status: Available
requiredDataConnectors:
- connectorId: Flare
dataTypes:
- - Firework_CL
+ - FireworkV2_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@@ -17,7 +17,7 @@ tactics:
relevantTechniques:
- T1555
query: |
- Firework_CL
+ FireworkV2_CL
| where category_name_s contains "Infected Device" or source_s=="genesis_market" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 1.0.1
-kind: Scheduled
\ No newline at end of file
+version: 2.0.0
+kind: Scheduled
diff --git a/Solutions/Flare/Analytic Rules/FlarePaste.yaml b/Solutions/Flare/Analytic Rules/FlarePaste.yaml
index bd5449ff09b..2f70dc15703 100644
--- a/Solutions/Flare/Analytic Rules/FlarePaste.yaml
+++ b/Solutions/Flare/Analytic Rules/FlarePaste.yaml
@@ -7,7 +7,7 @@ status: Available
requiredDataConnectors:
- connectorId: Flare
dataTypes:
- - Firework_CL
+ - FireworkV2_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@@ -17,7 +17,7 @@ tactics:
relevantTechniques:
- T1593
query: |
- Firework_CL
+ FireworkV2_CL
| where source_s in ("gist_github","Pastebin","driller_stackexchange") and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 1.0.1
-kind: Scheduled
\ No newline at end of file
+version: 2.0.0
+kind: Scheduled
diff --git a/Solutions/Flare/Analytic Rules/FlareSSLcert.yaml b/Solutions/Flare/Analytic Rules/FlareSSLcert.yaml
index b11c5d47b21..5a174d4f0c5 100644
--- a/Solutions/Flare/Analytic Rules/FlareSSLcert.yaml
+++ b/Solutions/Flare/Analytic Rules/FlareSSLcert.yaml
@@ -7,7 +7,7 @@ status: Available
requiredDataConnectors:
- connectorId: Flare
dataTypes:
- - Firework_CL
+ - FireworkV2_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@@ -17,7 +17,7 @@ tactics:
relevantTechniques:
- T1583
query: |
- Firework_CL
+ FireworkV2_CL
| where source_s contains "certstream" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 1.0.1
-kind: Scheduled
\ No newline at end of file
+version: 2.0.0
+kind: Scheduled
diff --git a/Solutions/Flare/Analytic Rules/FlareSourceCode.yaml b/Solutions/Flare/Analytic Rules/FlareSourceCode.yaml
index adec624539d..bde6f625d60 100644
--- a/Solutions/Flare/Analytic Rules/FlareSourceCode.yaml
+++ b/Solutions/Flare/Analytic Rules/FlareSourceCode.yaml
@@ -7,7 +7,7 @@ status: Available
requiredDataConnectors:
- connectorId: Flare
dataTypes:
- - Firework_CL
+ - FireworkV2_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@@ -17,7 +17,7 @@ tactics:
relevantTechniques:
- T1593
query: |
- Firework_CL
+ FireworkV2_CL
| where source_s contains "driller_github" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5")
-version: 1.0.1
-kind: Scheduled
\ No newline at end of file
+version: 2.0.0
+kind: Scheduled
diff --git a/Solutions/Flare/Data Connectors/Connector_REST_API_FlareSystemsFirework.json b/Solutions/Flare/Data Connectors/Connector_REST_API_FlareSystemsFirework.json
deleted file mode 100644
index a02378a4b9e..00000000000
--- a/Solutions/Flare/Data Connectors/Connector_REST_API_FlareSystemsFirework.json
+++ /dev/null
@@ -1,132 +0,0 @@
-{
- "id": "Flare",
- "title": "Flare",
- "publisher": "Flare",
- "descriptionMarkdown": "[Flare](https://flare.systems/platform/) connector allows you to receive data and intelligence from Flare on Microsoft Sentinel.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "Firework_CL",
- "baseQuery": "Firework_CL"
- }
- ],
- "sampleQueries": [
- {
- "description": "Flare Activities -- All",
- "query": "Firework_CL\n | sort by TimeGenerated desc"
- }
- ],
- "dataTypes": [
- {
- "name": "Firework_CL",
- "lastDataReceivedQuery": "Firework_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "Firework_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "name": "Required Flare permissions",
- "description": "only Flare organization administrators may configure the Microsoft Sentinel integration."
- }
- ]
- },
- "instructionSteps": [
- {
- "title": "1. Creating an Alert Channel for Microsoft Sentinel",
- "description": "",
- "innerSteps": [
- {
- "description": "As an organization administrator, authenticate on [Flare](https://app.flare.systems) and access the [team page](https://app.flare.systems#/team) to create a new alert channel."
- },
- {
- "description": "Click on 'Create a new alert channel' and select 'Microsoft Sentinel'. Enter your Shared Key And WorkspaceID. Save the Alert Channel. \n For more help and details, see our [Azure configuration documentation](https://docs.microsoft.com/azure/sentinel/connect-data-sources).",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Workspace ID",
- "value": "{0}"
- },
- "type": "CopyableLabel"
- },
- {
- "parameters": {
- "fillWith": [
- "PrimaryKey"
- ],
- "label": "Primary key",
- "value": "{0} "
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ]
- },
- {
- "title": "2. Associating your alert channel to an alert feed",
- "innerSteps": [
- {
- "description": "At this point, you may configure alerts to be sent to Microsoft Sentinel the same way that you would configure regular email alerts."
- },
- {
- "description": "For a more detailed guide, refer to the Flare documentation."
- }
- ]
- }
- ],
- "metadata": {
- "id": "c3f2c642-54a5-49b4-b135-e05506720765",
- "version": "1.0.0",
- "kind": "dataConnector",
- "source": {
- "kind": "solution",
- "name": "Flare"
- },
- "author": {
- "name": "Flare"
- },
- "support": {
- "tier": "developer",
- "name": "Flare",
- "email": "contact@flare.systems",
- "link": "https://flare.systems/company/contact/"
- }
- }
-}
\ No newline at end of file
diff --git a/Solutions/Flare/Data Connectors/FlareFireworkEventLogs_ccp/FlareFireworkEventLogs_DCR.json b/Solutions/Flare/Data Connectors/FlareFireworkEventLogs_ccp/FlareFireworkEventLogs_DCR.json
new file mode 100644
index 00000000000..4cf49b9bda2
--- /dev/null
+++ b/Solutions/Flare/Data Connectors/FlareFireworkEventLogs_ccp/FlareFireworkEventLogs_DCR.json
@@ -0,0 +1,167 @@
+{
+ "name": "FireworkCustomDCR",
+ "apiVersion": "2024-03-11",
+ "type": "Microsoft.Insights/dataCollectionRules",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "streamDeclarations": {
+ "Custom-FireworkEventsStream": {
+ "columns": [
+ {
+ "name": "timestamp",
+ "type": "string"
+ },
+ {
+ "name": "timestamp_formatted",
+ "type": "string"
+ },
+ {
+ "name": "first_crawled_at",
+ "type": "string"
+ },
+ {
+ "name": "materialized_at",
+ "type": "string"
+ },
+ {
+ "name": "url",
+ "type": "string"
+ },
+ {
+ "name": "event_title",
+ "type": "string"
+ },
+ {
+ "name": "event_type",
+ "type": "string"
+ },
+ {
+ "name": "source",
+ "type": "string"
+ },
+ {
+ "name": "source_name",
+ "type": "string"
+ },
+ {
+ "name": "id",
+ "type": "string"
+ },
+ {
+ "name": "keyword",
+ "type": "string"
+ },
+ {
+ "name": "category_name",
+ "type": "string"
+ },
+ {
+ "name": "content_preview",
+ "type": "dynamic"
+ },
+ {
+ "name": "content",
+ "type": "string"
+ },
+ {
+ "name": "alert_content",
+ "type": "string"
+ },
+ {
+ "name": "highlights",
+ "type": "dynamic"
+ },
+ {
+ "name": "risk",
+ "type": "dynamic"
+ },
+ {
+ "name": "tags",
+ "type": "dynamic"
+ },
+ {
+ "name": "related",
+ "type": "dynamic"
+ },
+ {
+ "name": "user_risk_score",
+ "type": "int"
+ },
+ {
+ "name": "user_notes",
+ "type": "string"
+ },
+ {
+ "name": "data",
+ "type": "dynamic"
+ },
+ {
+ "name": "uid",
+ "type": "string"
+ },
+ {
+ "name": "external_url",
+ "type": "string"
+ },
+ {
+ "name": "identifiers",
+ "type": "dynamic"
+ },
+ {
+ "name": "sort",
+ "type": "string"
+ },
+ {
+ "name": "asset_uuids",
+ "type": "dynamic"
+ },
+ {
+ "name": "code",
+ "type": "dynamic"
+ },
+ {
+ "name": "author_id",
+ "type": "string"
+ },
+ {
+ "name": "project_name",
+ "type": "string"
+ },
+ {
+ "name": "sha",
+ "type": "string"
+ },
+ {
+ "name": "actor",
+ "type": "string"
+ },
+ {
+ "name": "victim_name",
+ "type": "string"
+ }
+ ]
+ }
+ },
+ "destinations": {
+ "logAnalytics": [
+ {
+ "workspaceResourceId": "[variables('workspaceResourceId')]",
+ "name": "clv2ws1"
+ }
+ ]
+ },
+ "dataFlows": [
+ {
+ "streams": [
+ "Custom-FireworkEventsStream"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ],
+ "transformKql": "source\n| extend\n TimeGenerated = iff(not(isempty(timestamp)), todatetime(timestamp), now()),\n EventVendor = \"Flare\",\n EventProduct = \"Firework\",\n EventSchemaVersion = \"0.1\",\n EventSeverity = case(\n toint(risk.score) == 1, \"Informational\",\n toint(risk.score) == 2, \"Low\",\n toint(risk.score) == 3, \"Medium\",\n toint(risk.score) == 4, \"High\",\n toint(risk.score) == 5, \"Critical\",\n \"Informational\"\n ),\n EventOriginalUid = uid,\n EventOriginalType = event_type,\n RiskScore = toint(risk.score),\n Url = url\n",
+ "outputStream": "Custom-FireworkV2_CL"
+ }
+ ],
+ "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]"
+ }
+}
diff --git a/Solutions/Flare/Data Connectors/FlareFireworkEventLogs_ccp/FlareFireworkEventLogs_PollingConfig.json b/Solutions/Flare/Data Connectors/FlareFireworkEventLogs_ccp/FlareFireworkEventLogs_PollingConfig.json
new file mode 100644
index 00000000000..730872c6045
--- /dev/null
+++ b/Solutions/Flare/Data Connectors/FlareFireworkEventLogs_ccp/FlareFireworkEventLogs_PollingConfig.json
@@ -0,0 +1,27 @@
+{
+ "name": "FireworkPushConnectorPolling",
+ "apiVersion": "2023-02-01-preview",
+ "type": "Microsoft.SecurityInsights/dataConnectors",
+ "kind": "Push",
+ "properties": {
+ "connectorDefinitionName": "FireworkPush",
+ "dcrConfig": {
+ "streamName": "Custom-FireworkEventsStream",
+ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+ "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
+ },
+ "auth": {
+ "type": "Push",
+ "AppId": "[[parameters('auth').appId]",
+ "ServicePrincipalId": "[[parameters('auth').servicePrincipalId]"
+ },
+ "request": {
+ "RetryCount": 1
+ },
+ "response": {
+ "eventsJsonPaths": [
+ "$.items"
+ ]
+ }
+ }
+}
diff --git a/Solutions/Flare/Data Connectors/FlareFireworkEventLogs_ccp/FlareFireworkEventLogs_Table.json b/Solutions/Flare/Data Connectors/FlareFireworkEventLogs_ccp/FlareFireworkEventLogs_Table.json
new file mode 100644
index 00000000000..4b0c5de3018
--- /dev/null
+++ b/Solutions/Flare/Data Connectors/FlareFireworkEventLogs_ccp/FlareFireworkEventLogs_Table.json
@@ -0,0 +1,223 @@
+
+{
+ "apiVersion": "2022-10-01",
+ "name": "FireworkV2_CL",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "properties": {
+ "plan": "Analytics",
+ "schema": {
+ "name": "FireworkV2_CL",
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime",
+ "description": "Timestamp when the event was ingested (ASIM)"
+ },
+ {
+ "name": "EventVendor",
+ "type": "string",
+ "description": "Event vendor name - Flare (ASIM)"
+ },
+ {
+ "name": "EventProduct",
+ "type": "string",
+ "description": "Event product name (ASIM)"
+ },
+ {
+ "name": "EventSchemaVersion",
+ "type": "string",
+ "description": "Schema version (ASIM)"
+ },
+ {
+ "name": "EventSeverity",
+ "type": "string",
+ "description": "Severity level: Informational, Low, Medium, High, Critical (ASIM)"
+ },
+ {
+ "name": "EventOriginalUid",
+ "type": "string",
+ "description": "Original unique identifier (ASIM)"
+ },
+ {
+ "name": "EventOriginalType",
+ "type": "string",
+ "description": "Original event type (ASIM)"
+ },
+ {
+ "name": "RiskScore",
+ "type": "int",
+ "description": "Extracted risk score (1-5)"
+ },
+ {
+ "name": "Url",
+ "type": "string",
+ "description": "Source URL (ASIM)"
+ },
+ {
+ "name": "timestamp",
+ "type": "string",
+ "description": "Original timestamp from Flare"
+ },
+ {
+ "name": "timestamp_formatted",
+ "type": "string",
+ "description": "Formatted timestamp string"
+ },
+ {
+ "name": "first_crawled_at",
+ "type": "string",
+ "description": "When the item was first crawled"
+ },
+ {
+ "name": "materialized_at",
+ "type": "string",
+ "description": "When the item was materialized"
+ },
+ {
+ "name": "url",
+ "type": "string",
+ "description": "URL of the source"
+ },
+ {
+ "name": "event_title",
+ "type": "string",
+ "description": "Title of the event"
+ },
+ {
+ "name": "event_type",
+ "type": "string",
+ "description": "Type of the search item"
+ },
+ {
+ "name": "source",
+ "type": "string",
+ "description": "Source identifier"
+ },
+ {
+ "name": "source_name",
+ "type": "string",
+ "description": "Human-readable source name"
+ },
+ {
+ "name": "id",
+ "type": "string",
+ "description": "Unique identifier of the item"
+ },
+ {
+ "name": "keyword",
+ "type": "string",
+ "description": "Matched keyword"
+ },
+ {
+ "name": "category_name",
+ "type": "string",
+ "description": "Category of the event"
+ },
+ {
+ "name": "content_preview",
+ "type": "dynamic",
+ "description": "Preview of the content"
+ },
+ {
+ "name": "content",
+ "type": "string",
+ "description": "Full content of the event"
+ },
+ {
+ "name": "alert_content",
+ "type": "string",
+ "description": "Content formatted for alerting"
+ },
+ {
+ "name": "highlights",
+ "type": "dynamic",
+ "description": "Highlighted matches in the content"
+ },
+ {
+ "name": "risk",
+ "type": "dynamic",
+ "description": "Risk object containing score"
+ },
+ {
+ "name": "tags",
+ "type": "dynamic",
+ "description": "List of tags"
+ },
+ {
+ "name": "related",
+ "type": "dynamic",
+ "description": "List of related URLs"
+ },
+ {
+ "name": "user_risk_score",
+ "type": "int",
+ "description": "User-assigned risk score override"
+ },
+ {
+ "name": "user_notes",
+ "type": "string",
+ "description": "User notes on the event"
+ },
+ {
+ "name": "data",
+ "type": "dynamic",
+ "description": "Additional data payload"
+ },
+ {
+ "name": "uid",
+ "type": "string",
+ "description": "Unique identifier (UID format)"
+ },
+ {
+ "name": "external_url",
+ "type": "string",
+ "description": "External URL reference"
+ },
+ {
+ "name": "identifiers",
+ "type": "dynamic",
+ "description": "Array of matched identifiers [{id, type, name, query, group}]"
+ },
+ {
+ "name": "sort",
+ "type": "string"
+ },
+ {
+ "name": "asset_uuids",
+ "type": "dynamic",
+ "description": "List of related asset UUIDs"
+ },
+ {
+ "name": "code",
+ "type": "dynamic",
+ "description": "Code metadata"
+ },
+ {
+ "name": "author_id",
+ "type": "string",
+ "description": "Author identifier"
+ },
+ {
+ "name": "project_name",
+ "type": "string",
+ "description": "Project name (for code-related events)"
+ },
+ {
+ "name": "sha",
+ "type": "string",
+ "description": "Commit SHA (for code-related events)"
+ },
+ {
+ "name": "actor",
+ "type": "string",
+ "description": "Actor/threat actor name"
+ },
+ {
+ "name": "victim_name",
+ "type": "string",
+ "description": "Victim name if applicable"
+ }
+ ]
+ }
+ }
+}
diff --git a/Solutions/Flare/Data Connectors/FlareFireworkEventLogs_ccp/FlareFireworkEventLogs_connectorDefinition.json b/Solutions/Flare/Data Connectors/FlareFireworkEventLogs_ccp/FlareFireworkEventLogs_connectorDefinition.json
new file mode 100644
index 00000000000..aedb68627c7
--- /dev/null
+++ b/Solutions/Flare/Data Connectors/FlareFireworkEventLogs_ccp/FlareFireworkEventLogs_connectorDefinition.json
@@ -0,0 +1,164 @@
+{
+ "name": "FireworkPush",
+ "apiVersion": "2025-09-01",
+ "type": "Microsoft.SecurityInsights/dataConnectorDefinitions",
+ "kind": "Customizable",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "connectorUiConfig": {
+ "availability": {
+ "status": 1
+ },
+ "connectivityCriteria": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "FireworkV2_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
+ ]
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "FireworkV2_CL",
+ "lastDataReceivedQuery": "FireworkV2_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "descriptionMarkdown": "The [Flare](https://flare.io) connector provides the capability to ingest threat intelligence and exposure data from Flare into Microsoft Sentinel. Flare identifies your company's digital assets made publicly available due to human error or malicious attacks, including leaked credentials, exposed cloud buckets, darkweb mentions, and more.",
+ "graphQueriesTableName": "FireworkV2_CL",
+ "graphQueries": [
+ {
+ "metricName": "Total Flare Events",
+ "legend": "FireworkV2_CL",
+ "baseQuery": "FireworkV2_CL"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Flare - All Events",
+ "query": "{{graphQueriesTableName}} \n | sort by TimeGenerated desc"
+ },
+ {
+ "description": "Flare - High Risk Events (Score >= 4)",
+ "query": "{{graphQueriesTableName}} \n | where RiskScore >= 4\n | project TimeGenerated, EventSeverity, EventType, ['title'], source_name, RiskScore, Url\n | sort by TimeGenerated desc"
+ },
+ {
+ "description": "Flare - Credential Leaks",
+ "query": "{{graphQueriesTableName}} \n | where EventType == \"CredentialLeak\"\n | project TimeGenerated, EventSeverity, ['title'], source_name, keyword, RiskScore\n | sort by TimeGenerated desc"
+ },
+ {
+ "description": "Flare - Events by Severity",
+ "query": "{{graphQueriesTableName}} \n | summarize Count = count() by EventSeverity\n | order by Count desc"
+ },
+ {
+ "description": "Flare - Events by Type",
+ "query": "{{graphQueriesTableName}} \n | summarize Count = count() by EventType\n | order by Count desc"
+ }
+ ],
+ "id": "FireworkPush",
+ "instructionSteps": [
+ {
+ "title": "1. Create ARM Resources and Provide the Required Permissions",
+ "description": "This connector enables Flare to send threat exposure data to Microsoft Sentinel. When data forwarding is enabled in Flare, raw event data is sent securely to the Microsoft Sentinel Ingestion API.",
+ "instructions": [
+ {
+ "type": "Markdown",
+ "parameters": {
+ "content": "#### Automated Configuration and Secure Data Ingestion with Entra Application \nClicking on \"Deploy\" will create Log Analytics tables and a Data Collection Rule (DCR). It will then create an Entra application, link the DCR to it, and set the entered secret in the application. This setup enables data to be sent securely to the DCR using an Entra token."
+ }
+ },
+ {
+ "parameters": {
+ "label": "Deploy Flare connector resources",
+ "applicationDisplayName": "Flare Connector Application"
+ },
+ "type": "DeployPushConnectorButton"
+ }
+ ]
+ },
+ {
+ "title": "2. Configure Flare to Send Logs to Microsoft Sentinel",
+ "description": "Use the following parameters to configure Flare to send logs to your workspace.",
+ "instructions": [
+ {
+ "parameters": {
+ "label": "Entra App Registration Application ID",
+ "fillWith": [
+ "ApplicationId"
+ ],
+ "placeholder": "Deploy push connector to get the App Registration Application ID"
+ },
+ "type": "CopyableLabel"
+ },
+ {
+ "parameters": {
+ "label": "Tenant ID (Directory ID)",
+ "fillWith": [
+ "TenantId"
+ ]
+ },
+ "type": "CopyableLabel"
+ },
+ {
+ "parameters": {
+ "label": "Entra App Registration Secret",
+ "fillWith": [
+ "ApplicationSecret"
+ ],
+ "placeholder": "Deploy push connector to get the App Registration Secret"
+ },
+ "type": "CopyableLabel"
+ },
+ {
+ "parameters": {
+ "label": "Log Ingestion URL",
+ "fillWith": [
+ "DataCollectionEndpoint",
+ "DataCollectionRuleId"
+ ],
+ "placeholder": "Deploy push connector to get the Data Collection Endpoint URI",
+ "value": "{0}/dataCollectionRules/{1}/streams/Custom-FireworkEventsStream?api-version=2023-01-01"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
+ },
+ {
+ "title": "3. Configure Alert Channel in Flare",
+ "description": "As an organization administrator, authenticate on [Flare](https://app.flare.io) and access the [alerts page](https://app.flare.io/#/alerts?activeTab=alert-channels) to create a new alert channel. Select 'Microsoft Sentinel' and copy the above fields in the form. For more details, refer to the [Flare documentation](https://docs.flare.io).",
+ "instructions": []
+ }
+ ],
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Microsoft Entra",
+ "description": "Permission to create an app registration in Microsoft Entra ID."
+ },
+ {
+ "name": "Microsoft Azure",
+ "description": "Permission to assign Monitoring Metrics Publisher role on data collection rule (DCR)."
+ },
+ {
+ "name": "Flare",
+ "description": "Permission to configure Microsoft Sentinel integration in Flare."
+ }
+ ]
+ },
+ "publisher": "Flare Systems",
+ "title": "Flare Push Connector"
+ }
+ }
+}
diff --git a/Solutions/Flare/Data/Solution_FlareSystemsFirework.json b/Solutions/Flare/Data/Solution_FlareSystemsFirework.json
index db0b3858daf..1dfac5b28dc 100644
--- a/Solutions/Flare/Data/Solution_FlareSystemsFirework.json
+++ b/Solutions/Flare/Data/Solution_FlareSystemsFirework.json
@@ -1,10 +1,10 @@
{
"Name": "Flare",
- "Author": "Microsoft - support@microsoft.com",
+ "Author": "Flare - support@flare.io",
"Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Flare.svg\"width=\"75px\"height=\"75px\")
",
- "Description": "The Flare Systems [Firework](https://flare.systems/firework/) solution allows you to receive data and intelligence from Firework on Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs. \n\n a .[Azure Monitor HTTP Data Collector API ](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)",
+ "Description": "The Flare Systems [Firework](https://flare.io/platform/) solution allows you to receive data and intelligence from Firework on Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs. \n\n a .[Azure Monitor HTTP Data Collector API ](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)",
"Data Connectors": [
- "Data Connectors/Connector_REST_API_FlareSystemsFirework.json"
+ "Data Connectors/FlareFireworkEventLogs_ccp/FlareFireworkEventLogs_connectorDefinition.json"
],
"Workbooks": [
"Workbooks/FlareSystemsFireworkOverview.json"
@@ -15,7 +15,6 @@
"Analytic Rules": [
"Analytic Rules/FlareCloudBucket.yaml",
"Analytic Rules/FlareCredentialLeaks.yaml",
- "Analytic Rules/FlareDarkweb.yaml",
"Analytic Rules/FlareDork.yaml",
"Analytic Rules/FlareHost.yaml",
"Analytic Rules/FlareInfectedDevice.yaml",
@@ -24,8 +23,8 @@
"Analytic Rules/FlareSSLcert.yaml"
],
"BasePath": "C:\\GitHub\\azure-sentinel\\Solutions\\Flare",
- "Version": "2.1.0",
+ "Version": "3.0.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
-}
\ No newline at end of file
+}
diff --git a/Solutions/Flare/Package/3.0.0.zip b/Solutions/Flare/Package/3.0.0.zip
new file mode 100644
index 00000000000..b43bad902bb
Binary files /dev/null and b/Solutions/Flare/Package/3.0.0.zip differ
diff --git a/Solutions/Flare/Package/createUiDefinition.json b/Solutions/Flare/Package/createUiDefinition.json
index 366f4c39797..ff51c8fad27 100644
--- a/Solutions/Flare/Package/createUiDefinition.json
+++ b/Solutions/Flare/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Flare/Data%20Connectors/Logo/Flare.svg\")
\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nFlare identifies your company’s digital assets made publicly available due to human error or malicious attacks. \n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 9, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Flare/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Flare Systems [Firework](https://flare.io/platform/) solution allows you to receive data and intelligence from Firework on Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs. \n\n a .[Azure Monitor HTTP Data Collector API ](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 8, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -60,11 +60,11 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This Solution installs the data connector for Flare. You can get Flare custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ "text": "This Solution installs the data connector for Flare Push Connector. You can get Flare Push Connector data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
- "name": "dataconnectors-link2",
+ "name": "dataconnectors-link1",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
@@ -146,13 +146,13 @@
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
- "label": "Flare Leaked Credentials",
+ "label": "Flare Cloud bucket result",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Searches for Flare Leaked Credentials"
+ "text": "Results found on an publicly available cloud bucket"
}
}
]
@@ -160,13 +160,13 @@
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
- "label": "Flare Cloud bucket result",
+ "label": "Flare Leaked Credentials",
"elements": [
{
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Results found on an publicly available cloud bucket"
+ "text": "Searches for Flare Leaked Credentials"
}
}
]
@@ -174,24 +174,10 @@
{
"name": "analytic3",
"type": "Microsoft.Common.Section",
- "label": "Flare Darkweb result",
- "elements": [
- {
- "name": "analytic3-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "Result found on a darkweb platform"
- }
- }
- ]
- },
- {
- "name": "analytic4",
- "type": "Microsoft.Common.Section",
"label": "Flare Google Dork result found",
"elements": [
{
- "name": "analytic4-text",
+ "name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Results using a dork on google was found"
@@ -200,12 +186,12 @@
]
},
{
- "name": "analytic5",
+ "name": "analytic4",
"type": "Microsoft.Common.Section",
"label": "Flare Host result",
"elements": [
{
- "name": "analytic5-text",
+ "name": "analytic4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Results found relating to IP, domain or host"
@@ -214,12 +200,12 @@
]
},
{
- "name": "analytic6",
+ "name": "analytic5",
"type": "Microsoft.Common.Section",
"label": "Flare Infected Device",
"elements": [
{
- "name": "analytic6-text",
+ "name": "analytic5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Infected Device found on darkweb or Telegram"
@@ -228,12 +214,12 @@
]
},
{
- "name": "analytic7",
+ "name": "analytic6",
"type": "Microsoft.Common.Section",
"label": "Flare Paste result",
"elements": [
{
- "name": "analytic7-text",
+ "name": "analytic6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Result found on code Snippet (paste) sharing platform"
@@ -242,12 +228,12 @@
]
},
{
- "name": "analytic8",
+ "name": "analytic7",
"type": "Microsoft.Common.Section",
"label": "Flare Source Code found",
"elements": [
{
- "name": "analytic8-text",
+ "name": "analytic7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Result found on Code Sharing platform"
@@ -256,12 +242,12 @@
]
},
{
- "name": "analytic9",
+ "name": "analytic8",
"type": "Microsoft.Common.Section",
"label": "Flare SSL Certificate result",
"elements": [
{
- "name": "analytic9-text",
+ "name": "analytic8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "SSL Certificate registration found"
diff --git a/Solutions/Flare/Package/mainTemplate.json b/Solutions/Flare/Package/mainTemplate.json
index 1448a2b0f2e..5ed49c2f9e4 100644
--- a/Solutions/Flare/Package/mainTemplate.json
+++ b/Solutions/Flare/Package/mainTemplate.json
@@ -2,7 +2,7 @@
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
- "author": "Flare Integration Team - support@flare.io",
+ "author": "Flare - support@flare.io",
"comments": "Solution template for Flare"
},
"parameters": {
@@ -28,6 +28,20 @@
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
},
+ "resourceGroupName": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().name]",
+ "metadata": {
+ "description": "resource group name where Microsoft Sentinel is setup"
+ }
+ },
+ "subscription": {
+ "type": "string",
+ "defaultValue": "[last(split(subscription().id, '/'))]",
+ "metadata": {
+ "description": "subscription id where Microsoft Sentinel is setup"
+ }
+ },
"workbook1-name": {
"type": "string",
"defaultValue": "FlareSystemsFirework",
@@ -38,64 +52,24 @@
}
},
"variables": {
- "solutionId": "flaresystmesinc1617114736428.flare-systems-firework-sentinel",
- "_solutionId": "[variables('solutionId')]",
"email": "support@flare.io",
"_email": "[variables('email')]",
+ "solutionId": "flaresystmesinc1617114736428.flare-systems-firework-sentinel",
+ "_solutionId": "[variables('solutionId')]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
- "uiConfigId1": "Flare",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "Flare",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
- "dataConnectorVersion1": "1.0.0",
- "analyticRuleVersion1": "1.0.2",
- "analyticRulecontentId1": "9cb7c337-f170-4af6-b0e8-b6b7552d762d",
- "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
- "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
- "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1')))]",
- "analyticRuleVersion2": "1.0.1",
- "analyticRulecontentId2": "9cb7c337-f172-4af6-b0e8-b6b7552d762d",
- "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
- "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
- "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2')))]",
- "analyticRuleVersion3": "1.0.1",
- "analyticRulecontentId3": "9cb7c337-f173-4af6-b0e8-b6b7552d762d",
- "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]",
- "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]",
- "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3')))]",
- "analyticRuleVersion4": "1.0.1",
- "analyticRulecontentId4": "9cb7c337-f174-4af6-b0e8-b6b7552d762d",
- "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]",
- "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]",
- "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4')))]",
- "analyticRuleVersion5": "1.0.1",
- "analyticRulecontentId5": "9cb7c337-f175-4af6-b0e8-b6b7552d762d",
- "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]",
- "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]",
- "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5')))]",
- "analyticRuleVersion6": "1.0.1",
- "analyticRulecontentId6": "9cb7c337-f176-4af6-b0e8-b6b7552d762d",
- "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]",
- "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]",
- "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6')))]",
- "analyticRuleVersion7": "1.0.1",
- "analyticRulecontentId7": "9cb7c337-f177-4af6-b0e8-b6b7552d762d",
- "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]",
- "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]",
- "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7')))]",
- "analyticRuleVersion8": "1.0.1",
- "analyticRulecontentId8": "9cb7c337-f178-4af6-b0e8-b6b7552d762d",
- "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]",
- "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]",
- "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8')))]",
- "analyticRuleVersion9": "1.0.1",
- "analyticRulecontentId9": "9cb7c337-f179-4af6-b0e8-b6b7552d762d",
- "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]",
- "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]",
- "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9')))]",
+ "_solutionName": "Flare",
+ "_solutionVersion": "2.1.1",
+ "dataConnectorCCPVersion": "1.0.0",
+ "_dataConnectorContentIdConnectorDefinition1": "FireworkPush",
+ "dataConnectorTemplateNameConnectorDefinition1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition1')))]",
+ "_dataConnectorContentIdConnections1": "FireworkPushConnections",
+ "dataConnectorTemplateNameConnections1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections1')))]",
+ "blanks": "[replace('b', 'b', '')]",
+ "workbookVersion1": "1.0.0",
+ "workbookContentId1": "FireworkWorkbook",
+ "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
+ "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]",
+ "_workbookContentId1": "[variables('workbookContentId1')]",
"credential-warning": "credential-warning",
"_credential-warning": "[variables('credential-warning')]",
"playbookVersion1": "1.0",
@@ -103,462 +77,179 @@
"_playbookContentId1": "[variables('playbookContentId1')]",
"playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]",
"playbookTemplateSpecName1": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1')))]",
- "workbookVersion1": "1.0.0",
- "workbookContentId1": "FireworkWorkbook",
- "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
- "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]",
- "_workbookContentId1": "[variables('workbookContentId1')]"
- },
- "resources": [
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2022-02-01",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "DataConnector"
- },
- "properties": {
- "description": "Flare data connector with template",
- "displayName": "Flare template"
- }
+ "analyticRuleObject1": {
+ "analyticRuleVersion1": "2.0.0",
+ "_analyticRulecontentId1": "9cb7c337-f172-4af6-b0e8-b6b7552d762d",
+ "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f172-4af6-b0e8-b6b7552d762d')]",
+ "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f172-4af6-b0e8-b6b7552d762d'))]"
},
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2022-02-01",
- "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "DataConnector"
- },
- "dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
- ],
- "properties": {
- "description": "Flare data connector with template version 2.1.0",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "Flare",
- "publisher": "Flare",
- "descriptionMarkdown": "[Flare](https://flare.systems/platform/) connector allows you to receive data and intelligence from Flare on Microsoft Sentinel.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "Firework_CL",
- "baseQuery": "Firework_CL"
- }
- ],
- "sampleQueries": [
- {
- "description": "Flare Activities -- All",
- "query": "Firework_CL\n | sort by TimeGenerated desc"
- }
- ],
- "dataTypes": [
- {
- "name": "Firework_CL",
- "lastDataReceivedQuery": "Firework_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "Firework_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "name": "Required Flare permissions",
- "description": "only Flare organization administrators may configure the Microsoft Sentinel integration."
- }
- ]
- },
- "instructionSteps": [
- {
- "innerSteps": [
- {
- "description": "As an organization administrator, authenticate on [Flare](https://app.flare.systems) and access the [team page](https://app.flare.systems#/team) to create a new alert channel."
- },
- {
- "description": "Click on 'Create a new alert channel' and select 'Microsoft Sentinel'. Enter your Shared Key And WorkspaceID. Save the Alert Channel. \n For more help and details, see our [Azure configuration documentation](https://docs.microsoft.com/azure/sentinel/connect-data-sources).",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Workspace ID",
- "value": "{0}"
- },
- "type": "CopyableLabel"
- },
- {
- "parameters": {
- "fillWith": [
- "PrimaryKey"
- ],
- "label": "Primary key",
- "value": "{0} "
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Creating an Alert Channel for Microsoft Sentinel"
- },
- {
- "innerSteps": [
- {
- "description": "At this point, you may configure alerts to be sent to Microsoft Sentinel the same way that you would configure regular email alerts."
- },
- {
- "description": "For a more detailed guide, refer to the Flare documentation."
- }
- ],
- "title": "2. Associating your alert channel to an alert feed"
- }
- ],
- "metadata": {
- "id": "c3f2c642-54a5-49b4-b135-e05506720765",
- "version": "1.0.0",
- "kind": "dataConnector",
- "source": {
- "kind": "solution",
- "name": "Flare"
- },
- "author": {
- "name": "Flare"
- },
- "support": {
- "tier": "developer",
- "name": "Flare",
- "email": "contact@flare.systems",
- "link": "https://flare.systems/company/contact/"
- }
- }
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Flare",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Flare Integration Team",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Flare",
- "email": "contact@flare.io",
- "tier": "Partner",
- "link": "https://flare.io/company/contact/"
- }
- }
- }
- ]
- }
- }
+ "analyticRuleObject2": {
+ "analyticRuleVersion2": "2.0.0",
+ "_analyticRulecontentId2": "9cb7c337-f170-4af6-b0e8-b6b7552d762d",
+ "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f170-4af6-b0e8-b6b7552d762d')]",
+ "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f170-4af6-b0e8-b6b7552d762d'))]"
+ },
+ "analyticRuleObject3": {
+ "analyticRuleVersion3": "2.0.0",
+ "_analyticRulecontentId3": "9cb7c337-f174-4af6-b0e8-b6b7552d762d",
+ "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f174-4af6-b0e8-b6b7552d762d')]",
+ "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f174-4af6-b0e8-b6b7552d762d'))]"
+ },
+ "analyticRuleObject4": {
+ "analyticRuleVersion4": "2.0.0",
+ "_analyticRulecontentId4": "9cb7c337-f175-4af6-b0e8-b6b7552d762d",
+ "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f175-4af6-b0e8-b6b7552d762d')]",
+ "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f175-4af6-b0e8-b6b7552d762d'))]"
+ },
+ "analyticRuleObject5": {
+ "analyticRuleVersion5": "2.0.0",
+ "_analyticRulecontentId5": "9cb7c337-f176-4af6-b0e8-b6b7552d762d",
+ "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f176-4af6-b0e8-b6b7552d762d')]",
+ "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f176-4af6-b0e8-b6b7552d762d'))]"
+ },
+ "analyticRuleObject6": {
+ "analyticRuleVersion6": "2.0.0",
+ "_analyticRulecontentId6": "9cb7c337-f177-4af6-b0e8-b6b7552d762d",
+ "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f177-4af6-b0e8-b6b7552d762d')]",
+ "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f177-4af6-b0e8-b6b7552d762d'))]"
+ },
+ "analyticRuleObject7": {
+ "analyticRuleVersion7": "2.0.0",
+ "_analyticRulecontentId7": "9cb7c337-f178-4af6-b0e8-b6b7552d762d",
+ "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f178-4af6-b0e8-b6b7552d762d')]",
+ "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f178-4af6-b0e8-b6b7552d762d'))]"
},
+ "analyticRuleObject8": {
+ "analyticRuleVersion8": "2.0.0",
+ "_analyticRulecontentId8": "9cb7c337-f179-4af6-b0e8-b6b7552d762d",
+ "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f179-4af6-b0e8-b6b7552d762d')]",
+ "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f179-4af6-b0e8-b6b7552d762d'))]"
+ }
+ },
+ "resources": [
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
- "dependsOn": [
- "[variables('_dataConnectorId1')]"
- ],
- "location": "[parameters('workspace-location')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
"kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
+ "version": "[variables('dataConnectorCCPVersion')]",
"source": {
- "kind": "Solution",
- "name": "Flare",
- "sourceId": "[variables('_solutionId')]"
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
},
"author": {
- "name": "Flare Integration Team",
+ "name": "Flare",
"email": "[variables('_email')]"
},
"support": {
"name": "Flare",
- "email": "contact@flare.io",
+ "email": "support@flare.io",
"tier": "Partner",
- "link": "https://flare.io/company/contact/"
- }
- }
- },
- {
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
- "location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
- "properties": {
- "connectorUiConfig": {
- "title": "Flare",
- "publisher": "Flare",
- "descriptionMarkdown": "[Flare](https://flare.systems/platform/) connector allows you to receive data and intelligence from Flare on Microsoft Sentinel.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "Firework_CL",
- "baseQuery": "Firework_CL"
- }
- ],
- "dataTypes": [
- {
- "name": "Firework_CL",
- "lastDataReceivedQuery": "Firework_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "Firework_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
- {
- "description": "Flare Activities -- All",
- "query": "Firework_CL\n | sort by TimeGenerated desc"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ],
- "customs": [
- {
- "name": "Required Flare permissions",
- "description": "only Flare organization administrators may configure the Microsoft Sentinel integration."
- }
- ]
- },
- "instructionSteps": [
- {
- "innerSteps": [
- {
- "description": "As an organization administrator, authenticate on [Flare](https://app.flare.systems) and access the [team page](https://app.flare.systems#/team) to create a new alert channel."
- },
- {
- "description": "Click on 'Create a new alert channel' and select 'Microsoft Sentinel'. Enter your Shared Key And WorkspaceID. Save the Alert Channel. \n For more help and details, see our [Azure configuration documentation](https://docs.microsoft.com/azure/sentinel/connect-data-sources).",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Workspace ID",
- "value": "{0}"
- },
- "type": "CopyableLabel"
- },
- {
- "parameters": {
- "fillWith": [
- "PrimaryKey"
- ],
- "label": "Primary key",
- "value": "{0} "
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Creating an Alert Channel for Microsoft Sentinel"
- },
+ "link": "https://flare.io/contact/"
+ },
+ "dependencies": {
+ "criteria": [
{
- "innerSteps": [
- {
- "description": "At this point, you may configure alerts to be sent to Microsoft Sentinel the same way that you would configure regular email alerts."
- },
- {
- "description": "For a more detailed guide, refer to the Flare documentation."
- }
- ],
- "title": "2. Associating your alert channel to an alert feed"
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "kind": "ResourcesDataConnector"
}
- ],
- "id": "[variables('_uiConfigId1')]"
+ ]
}
}
},
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2022-02-01",
- "name": "[variables('analyticRuleTemplateSpecName1')]",
+ "name": "[variables('workbookTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
+ "hidden-sentinelContentType": "Workbook"
},
"properties": {
- "description": "Flare Analytics Rule 1 with template",
- "displayName": "Flare Analytics Rule template"
+ "description": "Flare Workbook with template",
+ "displayName": "Flare workbook template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2022-02-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName1'),'/',variables('analyticRuleVersion1'))]",
+ "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
+ "hidden-sentinelContentType": "Workbook"
},
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]"
+ "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]"
],
"properties": {
- "description": "FlareCredentialLeaks_AnalyticalRules Analytics Rule with template version 2.1.0",
+ "description": "FlareSystemsFireworkOverview Workbook with template version 2.1.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion1')]",
+ "contentVersion": "[variables('workbookVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId1')]",
- "apiVersion": "2022-04-01-preview",
- "kind": "Scheduled",
+ "type": "Microsoft.Insights/workbooks",
+ "name": "[variables('workbookContentId1')]",
"location": "[parameters('workspace-location')]",
+ "kind": "shared",
+ "apiVersion": "2021-08-01",
+ "metadata": {
+ "description": "Select the time range for this Overview."
+ },
"properties": {
- "description": "Searches for Flare Leaked Credentials",
- "displayName": "Flare Leaked Credentials",
- "enabled": false,
- "query": "Firework_CL\n| where notempty(data_new_leaks_s) and source_s != 'stealer_logs_samples'\n",
- "queryFrequency": "PT1H",
- "queryPeriod": "PT1H",
- "severity": "Medium",
- "suppressionDuration": "PT1H",
- "suppressionEnabled": false,
- "triggerOperator": "GreaterThan",
- "triggerThreshold": 0,
- "status": "Available",
- "requiredDataConnectors": [
- {
- "dataTypes": [
- "Firework_CL"
- ],
- "connectorId": "Flare"
- }
- ],
- "tactics": [
- "CredentialAccess"
- ],
- "techniques": [
- "T1110"
- ]
+ "displayName": "[parameters('workbook1-name')]",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Firework Logs by risk score\\n---\\n\\nThese are all your logs that came from Firework in the past 30 days, where each line represents a specific risk score\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"FireworkV2_CL\\n| make-series num=count() on timestamp_t from ago(30d) to now() step 8h by strcat(\\\"Risk Score \\\", tostring(toint(risk_score_d)))\\n| render timechart \",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Risk Score 2\",\"color\":\"turquoise\"},{\"seriesName\":\"Risk Score 3\",\"color\":\"yellow\"},{\"seriesName\":\"Risk Score 4\",\"color\":\"orange\"},{\"seriesName\":\"Risk Score 1\",\"color\":\"lightBlue\"}]}},\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"# Sources of all documents collected\\n\\nData per day for the last 30 days\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"FireworkV2_CL\\n| make-series num=count() on timestamp_t from ago(30d) to now() step 1d by source_name_s\\n| where isnotempty(source_name_s)\\n| render barchart \",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"FireworkV2_CL\\n| where timestamp_t >= ago(30d)\\n| summarize num=count() by source_name_s\\n| where notempty(source_name_s)\\n| render piechart \",\"size\":2,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 6\"},{\"type\":1,\"content\":{\"json\":\"# Total Leaked Credentials received\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"FireworkV2_CL\\n| where notempty(column_ifexists('data_new_leaks_s', ''))\\n| make-series Total_Leaked_Credentials=count() on timestamp_t from ago(30d) to now() step 8h \\n| render timechart\",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Total_Leaked_Credentials\",\"color\":\"redBright\"}]}},\"name\":\"query - 4\"}],\"fromTemplateId\":\"sentinel-FireworkWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
+ "version": "1.0",
+ "sourceId": "[variables('workspaceResourceId')]",
+ "category": "sentinel"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
"properties": {
- "description": "Flare Analytics Rule 1",
- "parentId": "[variables('analyticRuleId1')]",
- "contentId": "[variables('_analyticRulecontentId1')]",
- "kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion1')]",
+ "description": "@{workbookKey=FireworkWorkbook; logoFileName=Flare.svg; description=Select the time range for this Overview.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=FlareSystemsFirework; templateRelativePath=FlareSystemsFireworkOverview.json; subtitle=; provider=Flare Systems}.description",
+ "parentId": "[variables('workbookId1')]",
+ "contentId": "[variables('_workbookContentId1')]",
+ "kind": "Workbook",
+ "version": "[variables('workbookVersion1')]",
"source": {
"kind": "Solution",
"name": "Flare",
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Flare Integration Team",
+ "name": "Flare",
"email": "[variables('_email')]"
},
"support": {
"name": "Flare",
- "email": "contact@flare.io",
+ "email": "support@flare.io",
"tier": "Partner",
- "link": "https://flare.io/company/contact/"
+ "link": "https://flare.io/contact/"
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "contentId": "Firework_CL",
+ "kind": "DataType"
+ },
+ {
+ "contentId": "FlareSystemsFirework",
+ "kind": "DataConnector"
+ }
+ ]
}
}
}
@@ -569,448 +260,414 @@
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2022-02-01",
- "name": "[variables('analyticRuleTemplateSpecName2')]",
+ "name": "[variables('playbookTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
+ "hidden-sentinelContentType": "Playbook"
},
"properties": {
- "description": "Flare Analytics Rule 2 with template",
- "displayName": "Flare Analytics Rule template"
+ "description": "credential-warning playbook",
+ "displayName": "credential-warning playbook"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2022-02-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName2'),'/',variables('analyticRuleVersion2'))]",
+ "name": "[concat(variables('playbookTemplateSpecName1'),'/',variables('playbookVersion1'))]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
+ "hidden-sentinelContentType": "Playbook"
},
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]"
+ "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName1'))]"
],
"properties": {
- "description": "FlareCloudBucket_AnalyticalRules Analytics Rule with template version 2.1.0",
+ "description": "credential-warning Playbook with template version 2.1.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion2')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId2')]",
- "apiVersion": "2022-04-01-preview",
- "kind": "Scheduled",
- "location": "[parameters('workspace-location')]",
- "properties": {
- "description": "Results found on an publicly available cloud bucket",
- "displayName": "Flare Cloud bucket result",
- "enabled": false,
- "query": "Firework_CL\n| where source_s contains \"Grayhat_warfare\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
- "queryFrequency": "PT1H",
- "queryPeriod": "PT1H",
- "severity": "Medium",
- "suppressionDuration": "PT1H",
- "suppressionEnabled": false,
- "triggerOperator": "GreaterThan",
- "triggerThreshold": 0,
- "status": "Available",
- "requiredDataConnectors": [
- {
- "dataTypes": [
- "Firework_CL"
- ],
- "connectorId": "Flare"
- }
- ],
- "tactics": [
- "Reconnaissance"
- ],
- "techniques": [
- "T1593"
- ]
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]",
- "properties": {
- "description": "Flare Analytics Rule 2",
- "parentId": "[variables('analyticRuleId2')]",
- "contentId": "[variables('_analyticRulecontentId2')]",
- "kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "Flare",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Flare Integration Team",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Flare",
- "email": "contact@flare.io",
- "tier": "Partner",
- "link": "https://flare.io/company/contact/"
- }
- }
+ "contentVersion": "[variables('playbookVersion1')]",
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "credential-warning",
+ "type": "string"
}
- ]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2022-02-01",
- "name": "[variables('analyticRuleTemplateSpecName3')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "Flare Analytics Rule 3 with template",
- "displayName": "Flare Analytics Rule template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2022-02-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName3'),'/',variables('analyticRuleVersion3'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName3'))]"
- ],
- "properties": {
- "description": "FlareDarkweb_AnalyticalRules Analytics Rule with template version 2.1.0",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion3')]",
- "parameters": {},
- "variables": {},
+ },
+ "variables": {
+ "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]",
+ "o365ConnectionName": "[[concat('o365-', parameters('PlaybookName'))]",
+ "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+ "_connection-1": "[[variables('connection-1')]",
+ "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]",
+ "_connection-2": "[[variables('connection-2')]",
+ "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+ "workspace-name": "[parameters('workspace')]",
+ "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+ },
"resources": [
{
- "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId3')]",
- "apiVersion": "2022-04-01-preview",
- "kind": "Scheduled",
- "location": "[parameters('workspace-location')]",
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[[variables('AzureSentinelConnectionName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "kind": "V1",
"properties": {
- "description": "Result found on a darkweb platform",
- "displayName": "Flare Darkweb result",
- "enabled": false,
- "query": "Firework_CL\n| where risk_reasons_s contains \"CYBERCRIME_SOURCE\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
- "queryFrequency": "PT1H",
- "queryPeriod": "PT1H",
- "severity": "Medium",
- "suppressionDuration": "PT1H",
- "suppressionEnabled": false,
- "triggerOperator": "GreaterThan",
- "triggerThreshold": 0,
- "status": "Available",
- "requiredDataConnectors": [
- {
- "dataTypes": [
- "Firework_CL"
- ],
- "connectorId": "Flare"
- }
- ],
- "tactics": [
- "Reconnaissance"
- ],
- "techniques": [
- "T1597"
- ]
+ "displayName": "[[variables('AzureSentinelConnectionName')]",
+ "parameterValueType": "Alternative",
+ "api": {
+ "id": "[[variables('_connection-1')]"
+ }
}
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]",
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[[variables('o365ConnectionName')]",
+ "location": "[[variables('workspace-location-inline')]",
"properties": {
- "description": "Flare Analytics Rule 3",
- "parentId": "[variables('analyticRuleId3')]",
- "contentId": "[variables('_analyticRulecontentId3')]",
- "kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion3')]",
- "source": {
- "kind": "Solution",
- "name": "Flare",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Flare Integration Team",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Flare",
- "email": "contact@flare.io",
- "tier": "Partner",
- "link": "https://flare.io/company/contact/"
+ "displayName": "[[parameters('PlaybookName')]",
+ "api": {
+ "id": "[[variables('_connection-2')]"
}
}
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2022-02-01",
- "name": "[variables('analyticRuleTemplateSpecName4')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "Flare Analytics Rule 4 with template",
- "displayName": "Flare Analytics Rule template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2022-02-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName4'),'/',variables('analyticRuleVersion4'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName4'))]"
- ],
- "properties": {
- "description": "FlareDork_AnalyticalRules Analytics Rule with template version 2.1.0",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion4')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId4')]",
- "apiVersion": "2022-04-01-preview",
- "kind": "Scheduled",
- "location": "[parameters('workspace-location')]",
- "properties": {
- "description": "Results using a dork on google was found",
- "displayName": "Flare Google Dork result found",
- "enabled": false,
- "query": "Firework_CL\n| where source_s contains \"google_search\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
- "queryFrequency": "PT1H",
- "queryPeriod": "PT1H",
- "severity": "Medium",
- "suppressionDuration": "PT1H",
- "suppressionEnabled": false,
- "triggerOperator": "GreaterThan",
- "triggerThreshold": 0,
- "status": "Available",
- "requiredDataConnectors": [
- {
- "dataTypes": [
- "Firework_CL"
- ],
- "connectorId": "Flare"
- }
- ],
- "tactics": [
- "Reconnaissance"
- ],
- "techniques": [
- "T1593"
- ]
- }
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]",
+ "type": "Microsoft.Logic/workflows",
+ "apiVersion": "2017-07-01",
+ "name": "[[parameters('PlaybookName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "tags": {
+ "LogicAppsCategory": "security",
+ "hidden-SentinelTemplateName": "PlaybookName",
+ "hidden-SentinelTemplateVersion": "1.0",
+ "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+ },
+ "identity": {
+ "type": "SystemAssigned"
+ },
+ "dependsOn": [
+ "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
+ "[[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]"
+ ],
"properties": {
- "description": "Flare Analytics Rule 4",
- "parentId": "[variables('analyticRuleId4')]",
- "contentId": "[variables('_analyticRulecontentId4')]",
- "kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion4')]",
- "source": {
- "kind": "Solution",
- "name": "Flare",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Flare Integration Team",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Flare",
- "email": "contact@flare.io",
- "tier": "Partner",
- "link": "https://flare.io/company/contact/"
- }
- }
- }
- ]
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2022-02-01",
- "name": "[variables('analyticRuleTemplateSpecName5')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "Flare Analytics Rule 5 with template",
- "displayName": "Flare Analytics Rule template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2022-02-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName5'),'/',variables('analyticRuleVersion5'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName5'))]"
- ],
- "properties": {
- "description": "FlareHost_AnalyticalRules Analytics Rule with template version 2.1.0",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion5')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId5')]",
- "apiVersion": "2022-04-01-preview",
- "kind": "Scheduled",
- "location": "[parameters('workspace-location')]",
- "properties": {
- "description": "Results found relating to IP, domain or host",
- "displayName": "Flare Host result",
- "enabled": false,
- "query": "Firework_CL\n| where source_s contains \"driller_shodan\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
- "queryFrequency": "PT1H",
- "queryPeriod": "PT1H",
- "severity": "Medium",
- "suppressionDuration": "PT1H",
- "suppressionEnabled": false,
- "triggerOperator": "GreaterThan",
- "triggerThreshold": 0,
- "status": "Available",
- "requiredDataConnectors": [
- {
- "dataTypes": [
- "Firework_CL"
- ],
- "connectorId": "Flare"
+ "state": "Disabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "parameters": {
+ "$connections": {
+ "type": "Object"
+ }
+ },
+ "actions": {
+ "For_each": {
+ "actions": {
+ "For_each_2": {
+ "actions": {
+ "For_each_3": {
+ "actions": {
+ "Send_an_email_(V2)": {
+ "inputs": {
+ "body": {
+ "Body": "Hello,
\n
\nThis is a message to warn you we believe a password you had been using has been leaked online, as part of a data breach.
\n
\nIf the following password is one you are still using commonly, we recommend changing it as soon as possible.
\n
\n@{items('For_each_3')['hash']}
\n
\nIn addition we want to remind you not to use your corporate email address to register to services outside of work.
\n
\nCordially,
\n
\nSecurity Team
\n
",
+ "Subject": "Possible compromised password",
+ "To": "blank@flare.systems"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['office365']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/v2/Mail"
+ },
+ "type": "ApiConnection"
+ }
+ },
+ "foreach": "@items('For_each_2')['passwords']",
+ "type": "Foreach"
+ }
+ },
+ "foreach": "@body('Parse_JSON')",
+ "runAfter": {
+ "Parse_JSON": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "Parse_JSON": {
+ "inputs": {
+ "content": "@items('For_each')",
+ "schema": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "passwords": {
+ "items": {
+ "properties": {
+ "extra": {
+ "type": "object"
+ },
+ "hash": {
+ "type": "string"
+ },
+ "hash_type": {
+ "type": "string"
+ },
+ "id": {
+ "type": "integer"
+ },
+ "imported_at": {
+ "type": "string"
+ },
+ "source_id": {
+ "type": "string"
+ },
+ "source_params": {
+ "properties": {
+ "line": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "required": [
+ "id",
+ "hash",
+ "hash_type",
+ "extra",
+ "domain",
+ "source_id",
+ "source_params",
+ "imported_at"
+ ],
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "required": [
+ "name",
+ "passwords"
+ ],
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "ParseJson"
+ }
+ },
+ "foreach": "@variables('leaks')['leaked_credentials']",
+ "runAfter": {
+ "Initialize_variable": [
+ "Succeeded"
+ ]
+ },
+ "type": "Foreach"
+ },
+ "Initialize_variable": {
+ "inputs": {
+ "variables": [
+ {
+ "name": "leaks",
+ "type": "object",
+ "value": "@json(body('Parse_JSON_2')['Custom Details'])"
+ }
+ ]
+ },
+ "runAfter": {
+ "Parse_JSON_2": [
+ "Succeeded"
+ ]
+ },
+ "type": "InitializeVariable"
+ },
+ "Parse_JSON_2": {
+ "inputs": {
+ "content": "@triggerBody()?['ExtendedProperties']",
+ "schema": {
+ "properties": {
+ "Analytic Rule Ids": {
+ "type": "string"
+ },
+ "Analytic Rule Name": {
+ "type": "string"
+ },
+ "Custom Details": {
+ "type": "string"
+ },
+ "Data Sources": {
+ "type": "string"
+ },
+ "Event Grouping": {
+ "type": "string"
+ },
+ "ProcessedBySentinel": {
+ "type": "string"
+ },
+ "Query": {
+ "type": "string"
+ },
+ "Query End Time UTC": {
+ "type": "string"
+ },
+ "Query Period": {
+ "type": "string"
+ },
+ "Query Start Time UTC": {
+ "type": "string"
+ },
+ "Search Query Results Overall Count": {
+ "type": "string"
+ },
+ "Trigger Operator": {
+ "type": "string"
+ },
+ "Trigger Threshold": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "ParseJson"
+ }
+ },
+ "contentVersion": "1.0.0.0",
+ "triggers": {
+ "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
+ "inputs": {
+ "body": {
+ "callback_url": "@{listCallbackUrl()}"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "path": "/subscribe"
+ },
+ "type": "ApiConnectionWebhook"
+ }
}
- ],
- "tactics": [
- "Reconnaissance"
- ],
- "techniques": [
- "T1596"
- ]
+ },
+ "parameters": {
+ "$connections": {
+ "value": {
+ "azuresentinel": {
+ "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
+ "connectionName": "[[variables('AzureSentinelConnectionName')]",
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
+ "connectionProperties": {
+ "authentication": {
+ "type": "ManagedServiceIdentity"
+ }
+ }
+ },
+ "office365": {
+ "connectionId": "[[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]",
+ "connectionName": "[[variables('o365ConnectionName')]",
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]"
+ }
+ }
+ }
+ }
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]",
"properties": {
- "description": "Flare Analytics Rule 5",
- "parentId": "[variables('analyticRuleId5')]",
- "contentId": "[variables('_analyticRulecontentId5')]",
- "kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion5')]",
+ "parentId": "[variables('playbookId1')]",
+ "contentId": "[variables('_playbookContentId1')]",
+ "kind": "Playbook",
+ "version": "[variables('playbookVersion1')]",
"source": {
"kind": "Solution",
"name": "Flare",
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Flare Integration Team",
+ "name": "Flare",
"email": "[variables('_email')]"
},
"support": {
"name": "Flare",
- "email": "contact@flare.io",
+ "email": "support@flare.io",
"tier": "Partner",
- "link": "https://flare.io/company/contact/"
+ "link": "https://flare.io/contact/"
}
}
}
- ]
+ ],
+ "metadata": {
+ "title": "credential-warning",
+ "description": "This playbook monitors all data received from Firework looking for leaked credentials (email:password combinations). When found, this playbook will send an email to the email address warning their password has been leaked, recommending appropriate measures if necessary. To learn more about how to connect Firework to Microsoft Sentinel, see the [API documentation](https://docs.flared.io/azure-sentinel-integration).",
+ "lastUpdateTime": "2022-07-31T00:00:00Z",
+ "releaseNotes": [
+ {
+ "version": "1.0.0",
+ "title": "credential-warning",
+ "notes": [
+ "Initial version"
+ ]
+ }
+ ]
+ }
}
}
},
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2022-02-01",
- "name": "[variables('analyticRuleTemplateSpecName6')]",
+ "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "AnalyticsRule"
},
"properties": {
- "description": "Flare Analytics Rule 6 with template",
+ "description": "Flare Analytics Rule 1 with template",
"displayName": "Flare Analytics Rule template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2022-02-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName6'),'/',variables('analyticRuleVersion6'))]",
+ "name": "[concat(variables('analyticRuleObject1').analyticRuleTemplateSpecName1,'/',variables('analyticRuleObject1').analyticRuleVersion1)]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "AnalyticsRule"
},
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName6'))]"
+ "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject1').analyticRuleTemplateSpecName1)]"
],
"properties": {
- "description": "FlareInfectedDevice_AnalyticalRules Analytics Rule with template version 2.1.0",
+ "description": "FlareCloudBucket_AnalyticalRules Analytics Rule with template version 2.1.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion6')]",
+ "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId6')]",
- "apiVersion": "2022-04-01-preview",
+ "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Infected Device found on darkweb or Telegram",
- "displayName": "Flare Infected Device",
+ "description": "Results found on an publicly available cloud bucket",
+ "displayName": "Flare Cloud bucket result",
"enabled": false,
- "query": "Firework_CL\n| where category_name_s contains \"Infected Device\" or source_s==\"genesis_market\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
+ "query": "FireworkV2_CL\n| where source_s contains \"Grayhat_warfare\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
@@ -1021,44 +678,44 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "Flare",
"dataTypes": [
- "Firework_CL"
- ],
- "connectorId": "Flare"
+ "FireworkV2_CL"
+ ]
}
],
"tactics": [
- "CredentialAccess"
+ "Reconnaissance"
],
"techniques": [
- "T1555"
+ "T1593"
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]",
"properties": {
- "description": "Flare Analytics Rule 6",
- "parentId": "[variables('analyticRuleId6')]",
- "contentId": "[variables('_analyticRulecontentId6')]",
+ "description": "Flare Analytics Rule 1",
+ "parentId": "[variables('analyticRuleObject1').analyticRuleId1]",
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion6')]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]",
"source": {
"kind": "Solution",
"name": "Flare",
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Flare Integration Team",
+ "name": "Flare",
"email": "[variables('_email')]"
},
"support": {
"name": "Flare",
- "email": "contact@flare.io",
+ "email": "support@flare.io",
"tier": "Partner",
- "link": "https://flare.io/company/contact/"
+ "link": "https://flare.io/contact/"
}
}
}
@@ -1069,48 +726,48 @@
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2022-02-01",
- "name": "[variables('analyticRuleTemplateSpecName7')]",
+ "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "AnalyticsRule"
},
"properties": {
- "description": "Flare Analytics Rule 7 with template",
+ "description": "Flare Analytics Rule 2 with template",
"displayName": "Flare Analytics Rule template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2022-02-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName7'),'/',variables('analyticRuleVersion7'))]",
+ "name": "[concat(variables('analyticRuleObject2').analyticRuleTemplateSpecName2,'/',variables('analyticRuleObject2').analyticRuleVersion2)]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "AnalyticsRule"
},
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName7'))]"
+ "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject2').analyticRuleTemplateSpecName2)]"
],
"properties": {
- "description": "FlarePaste_AnalyticalRules Analytics Rule with template version 2.1.0",
+ "description": "FlareCredentialLeaks_AnalyticalRules Analytics Rule with template version 2.1.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion7')]",
+ "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId7')]",
- "apiVersion": "2022-04-01-preview",
+ "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Result found on code Snippet (paste) sharing platform",
- "displayName": "Flare Paste result",
+ "description": "Searches for Flare Leaked Credentials",
+ "displayName": "Flare Leaked Credentials",
"enabled": false,
- "query": "Firework_CL\n| where source_s in (\"gist_github\",\"Pastebin\",\"driller_stackexchange\") and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
+ "query": "FireworkV2_CL\n| where notempty(data_new_leaks_s) and source_s != 'stealer_logs_samples'\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
@@ -1121,44 +778,44 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "Flare",
"dataTypes": [
- "Firework_CL"
- ],
- "connectorId": "Flare"
+ "FireworkV2_CL"
+ ]
}
],
"tactics": [
- "Reconnaissance"
+ "CredentialAccess"
],
"techniques": [
- "T1593"
+ "T1110"
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]",
"properties": {
- "description": "Flare Analytics Rule 7",
- "parentId": "[variables('analyticRuleId7')]",
- "contentId": "[variables('_analyticRulecontentId7')]",
+ "description": "Flare Analytics Rule 2",
+ "parentId": "[variables('analyticRuleObject2').analyticRuleId2]",
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion7')]",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]",
"source": {
"kind": "Solution",
"name": "Flare",
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Flare Integration Team",
+ "name": "Flare",
"email": "[variables('_email')]"
},
"support": {
"name": "Flare",
- "email": "contact@flare.io",
+ "email": "support@flare.io",
"tier": "Partner",
- "link": "https://flare.io/company/contact/"
+ "link": "https://flare.io/contact/"
}
}
}
@@ -1169,48 +826,48 @@
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2022-02-01",
- "name": "[variables('analyticRuleTemplateSpecName8')]",
+ "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "AnalyticsRule"
},
"properties": {
- "description": "Flare Analytics Rule 8 with template",
+ "description": "Flare Analytics Rule 3 with template",
"displayName": "Flare Analytics Rule template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2022-02-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName8'),'/',variables('analyticRuleVersion8'))]",
+ "name": "[concat(variables('analyticRuleObject3').analyticRuleTemplateSpecName3,'/',variables('analyticRuleObject3').analyticRuleVersion3)]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "AnalyticsRule"
},
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName8'))]"
+ "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject3').analyticRuleTemplateSpecName3)]"
],
"properties": {
- "description": "FlareSourceCode_AnalyticalRules Analytics Rule with template version 2.1.0",
+ "description": "FlareDork_AnalyticalRules Analytics Rule with template version 2.1.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion8')]",
+ "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId8')]",
- "apiVersion": "2022-04-01-preview",
+ "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Result found on Code Sharing platform",
- "displayName": "Flare Source Code found",
+ "description": "Results using a dork on google was found",
+ "displayName": "Flare Google Dork result found",
"enabled": false,
- "query": "Firework_CL\n| where source_s contains \"driller_github\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
+ "query": "FireworkV2_CL\n| where source_s contains \"google_search\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
@@ -1221,10 +878,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "Flare",
"dataTypes": [
- "Firework_CL"
- ],
- "connectorId": "Flare"
+ "FireworkV2_CL"
+ ]
}
],
"tactics": [
@@ -1238,27 +895,27 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]",
"properties": {
- "description": "Flare Analytics Rule 8",
- "parentId": "[variables('analyticRuleId8')]",
- "contentId": "[variables('_analyticRulecontentId8')]",
+ "description": "Flare Analytics Rule 3",
+ "parentId": "[variables('analyticRuleObject3').analyticRuleId3]",
+ "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion8')]",
+ "version": "[variables('analyticRuleObject3').analyticRuleVersion3]",
"source": {
"kind": "Solution",
"name": "Flare",
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Flare Integration Team",
+ "name": "Flare",
"email": "[variables('_email')]"
},
"support": {
"name": "Flare",
- "email": "contact@flare.io",
+ "email": "support@flare.io",
"tier": "Partner",
- "link": "https://flare.io/company/contact/"
+ "link": "https://flare.io/contact/"
}
}
}
@@ -1269,48 +926,48 @@
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2022-02-01",
- "name": "[variables('analyticRuleTemplateSpecName9')]",
+ "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "AnalyticsRule"
},
"properties": {
- "description": "Flare Analytics Rule 9 with template",
+ "description": "Flare Analytics Rule 4 with template",
"displayName": "Flare Analytics Rule template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2022-02-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName9'),'/',variables('analyticRuleVersion9'))]",
+ "name": "[concat(variables('analyticRuleObject4').analyticRuleTemplateSpecName4,'/',variables('analyticRuleObject4').analyticRuleVersion4)]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
"hidden-sentinelContentType": "AnalyticsRule"
},
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName9'))]"
+ "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject4').analyticRuleTemplateSpecName4)]"
],
"properties": {
- "description": "FlareSSLcert_AnalyticalRules Analytics Rule with template version 2.1.0",
+ "description": "FlareHost_AnalyticalRules Analytics Rule with template version 2.1.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion9')]",
+ "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId9')]",
- "apiVersion": "2022-04-01-preview",
+ "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
+ "apiVersion": "2023-02-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "SSL Certificate registration found",
- "displayName": "Flare SSL Certificate result",
+ "description": "Results found relating to IP, domain or host",
+ "displayName": "Flare Host result",
"enabled": false,
- "query": "Firework_CL\n| where source_s contains \"certstream\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
+ "query": "FireworkV2_CL\n| where source_s contains \"driller_shodan\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
@@ -1321,44 +978,44 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "Flare",
"dataTypes": [
- "Firework_CL"
- ],
- "connectorId": "Flare"
+ "FireworkV2_CL"
+ ]
}
],
"tactics": [
- "ResourceDevelopment"
+ "Reconnaissance"
],
"techniques": [
- "T1583"
+ "T1596"
]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]",
"properties": {
- "description": "Flare Analytics Rule 9",
- "parentId": "[variables('analyticRuleId9')]",
- "contentId": "[variables('_analyticRulecontentId9')]",
+ "description": "Flare Analytics Rule 4",
+ "parentId": "[variables('analyticRuleObject4').analyticRuleId4]",
+ "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion9')]",
+ "version": "[variables('analyticRuleObject4').analyticRuleVersion4]",
"source": {
"kind": "Solution",
"name": "Flare",
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Flare Integration Team",
+ "name": "Flare",
"email": "[variables('_email')]"
},
"support": {
"name": "Flare",
- "email": "contact@flare.io",
+ "email": "support@flare.io",
"tier": "Partner",
- "link": "https://flare.io/company/contact/"
+ "link": "https://flare.io/contact/"
}
}
}
@@ -1369,457 +1026,396 @@
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2022-02-01",
- "name": "[variables('playbookTemplateSpecName1')]",
+ "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
+ "hidden-sentinelContentType": "AnalyticsRule"
},
"properties": {
- "description": "credential-warning playbook",
- "displayName": "credential-warning playbook"
+ "description": "Flare Analytics Rule 5 with template",
+ "displayName": "Flare Analytics Rule template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2022-02-01",
- "name": "[concat(variables('playbookTemplateSpecName1'),'/',variables('playbookVersion1'))]",
+ "name": "[concat(variables('analyticRuleObject5').analyticRuleTemplateSpecName5,'/',variables('analyticRuleObject5').analyticRuleVersion5)]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
+ "hidden-sentinelContentType": "AnalyticsRule"
},
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName1'))]"
+ "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject5').analyticRuleTemplateSpecName5)]"
],
"properties": {
- "description": "credential-warning Playbook with template version 2.1.0",
+ "description": "FlareInfectedDevice_AnalyticalRules Analytics Rule with template version 2.1.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('playbookVersion1')]",
- "parameters": {
- "PlaybookName": {
- "defaultValue": "credential-warning",
- "type": "string"
- }
- },
- "variables": {
- "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]",
- "o365ConnectionName": "[[concat('o365-', parameters('PlaybookName'))]",
- "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
- "_connection-1": "[[variables('connection-1')]",
- "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]",
- "_connection-2": "[[variables('connection-2')]",
- "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
- "workspace-name": "[parameters('workspace')]",
- "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
- },
+ "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
+ "parameters": {},
+ "variables": {},
"resources": [
{
- "type": "Microsoft.Web/connections",
- "apiVersion": "2016-06-01",
- "name": "[[variables('AzureSentinelConnectionName')]",
- "location": "[[variables('workspace-location-inline')]",
- "kind": "V1",
- "properties": {
- "displayName": "[[variables('AzureSentinelConnectionName')]",
- "parameterValueType": "Alternative",
- "api": {
- "id": "[[variables('_connection-1')]"
- }
- }
- },
- {
- "type": "Microsoft.Web/connections",
- "apiVersion": "2016-06-01",
- "name": "[[variables('o365ConnectionName')]",
- "location": "[[variables('workspace-location-inline')]",
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
+ "apiVersion": "2023-02-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
"properties": {
- "displayName": "[[parameters('PlaybookName')]",
- "api": {
- "id": "[[variables('_connection-2')]"
- }
+ "description": "Infected Device found on darkweb or Telegram",
+ "displayName": "Flare Infected Device",
+ "enabled": false,
+ "query": "FireworkV2_CL\n| where category_name_s contains \"Infected Device\" or source_s==\"genesis_market\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "severity": "Medium",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "connectorId": "Flare",
+ "dataTypes": [
+ "FireworkV2_CL"
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": [
+ "T1555"
+ ]
}
},
{
- "type": "Microsoft.Logic/workflows",
- "apiVersion": "2017-07-01",
- "name": "[[parameters('PlaybookName')]",
- "location": "[[variables('workspace-location-inline')]",
- "tags": {
- "LogicAppsCategory": "security",
- "hidden-SentinelTemplateName": "PlaybookName",
- "hidden-SentinelTemplateVersion": "1.0",
- "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
- },
- "identity": {
- "type": "SystemAssigned"
- },
- "dependsOn": [
- "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
- "[[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]"
- ],
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]",
"properties": {
- "state": "Disabled",
- "definition": {
- "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
- "parameters": {
- "$connections": {
- "type": "Object"
- }
- },
- "actions": {
- "For_each": {
- "actions": {
- "For_each_2": {
- "actions": {
- "For_each_3": {
- "actions": {
- "Send_an_email_(V2)": {
- "inputs": {
- "body": {
- "Body": "Hello,
\n
\nThis is a message to warn you we believe a password you had been using has been leaked online, as part of a data breach.
\n
\nIf the following password is one you are still using commonly, we recommend changing it as soon as possible.
\n
\n@{items('For_each_3')['hash']}
\n
\nIn addition we want to remind you not to use your corporate email address to register to services outside of work.
\n
\nCordially,
\n
\nSecurity Team
\n
",
- "Subject": "Possible compromised password",
- "To": "blank@flare.systems"
- },
- "host": {
- "connection": {
- "name": "@parameters('$connections')['office365']['connectionId']"
- }
- },
- "method": "post",
- "path": "/v2/Mail"
- },
- "type": "ApiConnection"
- }
- },
- "foreach": "@items('For_each_2')['passwords']",
- "type": "Foreach"
- }
- },
- "foreach": "@body('Parse_JSON')",
- "runAfter": {
- "Parse_JSON": [
- "Succeeded"
- ]
- },
- "type": "Foreach"
- },
- "Parse_JSON": {
- "inputs": {
- "content": "@items('For_each')",
- "schema": {
- "items": {
- "properties": {
- "name": {
- "type": "string"
- },
- "passwords": {
- "items": {
- "properties": {
- "extra": {
- "type": "object"
- },
- "hash": {
- "type": "string"
- },
- "hash_type": {
- "type": "string"
- },
- "id": {
- "type": "integer"
- },
- "imported_at": {
- "type": "string"
- },
- "source_id": {
- "type": "string"
- },
- "source_params": {
- "properties": {
- "line": {
- "type": "integer"
- }
- },
- "type": "object"
- }
- },
- "required": [
- "id",
- "hash",
- "hash_type",
- "extra",
- "domain",
- "source_id",
- "source_params",
- "imported_at"
- ],
- "type": "object"
- },
- "type": "array"
- }
- },
- "required": [
- "name",
- "passwords"
- ],
- "type": "object"
- },
- "type": "array"
- }
- },
- "type": "ParseJson"
- }
- },
- "foreach": "@variables('leaks')['leaked_credentials']",
- "runAfter": {
- "Initialize_variable": [
- "Succeeded"
- ]
- },
- "type": "Foreach"
- },
- "Initialize_variable": {
- "inputs": {
- "variables": [
- {
- "name": "leaks",
- "type": "object",
- "value": "@json(body('Parse_JSON_2')['Custom Details'])"
- }
- ]
- },
- "runAfter": {
- "Parse_JSON_2": [
- "Succeeded"
- ]
- },
- "type": "InitializeVariable"
- },
- "Parse_JSON_2": {
- "inputs": {
- "content": "@triggerBody()?['ExtendedProperties']",
- "schema": {
- "properties": {
- "Analytic Rule Ids": {
- "type": "string"
- },
- "Analytic Rule Name": {
- "type": "string"
- },
- "Custom Details": {
- "type": "string"
- },
- "Data Sources": {
- "type": "string"
- },
- "Event Grouping": {
- "type": "string"
- },
- "ProcessedBySentinel": {
- "type": "string"
- },
- "Query": {
- "type": "string"
- },
- "Query End Time UTC": {
- "type": "string"
- },
- "Query Period": {
- "type": "string"
- },
- "Query Start Time UTC": {
- "type": "string"
- },
- "Search Query Results Overall Count": {
- "type": "string"
- },
- "Trigger Operator": {
- "type": "string"
- },
- "Trigger Threshold": {
- "type": "string"
- }
- },
- "type": "object"
- }
- },
- "type": "ParseJson"
- }
- },
- "contentVersion": "1.0.0.0",
- "triggers": {
- "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
- "inputs": {
- "body": {
- "callback_url": "@{listCallbackUrl()}"
- },
- "host": {
- "connection": {
- "name": "@parameters('$connections')['azuresentinel']['connectionId']"
- }
- },
- "path": "/subscribe"
- },
- "type": "ApiConnectionWebhook"
- }
- }
+ "description": "Flare Analytics Rule 5",
+ "parentId": "[variables('analyticRuleObject5').analyticRuleId5]",
+ "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleObject5').analyticRuleVersion5]",
+ "source": {
+ "kind": "Solution",
+ "name": "Flare",
+ "sourceId": "[variables('_solutionId')]"
},
- "parameters": {
- "$connections": {
- "value": {
- "azuresentinel": {
- "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
- "connectionName": "[[variables('AzureSentinelConnectionName')]",
- "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
- "connectionProperties": {
- "authentication": {
- "type": "ManagedServiceIdentity"
- }
- }
- },
- "office365": {
- "connectionId": "[[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]",
- "connectionName": "[[variables('o365ConnectionName')]",
- "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]"
- }
- }
- }
+ "author": {
+ "name": "Flare",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Flare",
+ "email": "support@flare.io",
+ "tier": "Partner",
+ "link": "https://flare.io/contact/"
}
}
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/templateSpecs",
+ "apiVersion": "2022-02-01",
+ "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]",
+ "location": "[parameters('workspace-location')]",
+ "tags": {
+ "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
+ "hidden-sentinelContentType": "AnalyticsRule"
+ },
+ "properties": {
+ "description": "Flare Analytics Rule 6 with template",
+ "displayName": "Flare Analytics Rule template"
+ }
+ },
+ {
+ "type": "Microsoft.Resources/templateSpecs/versions",
+ "apiVersion": "2022-02-01",
+ "name": "[concat(variables('analyticRuleObject6').analyticRuleTemplateSpecName6,'/',variables('analyticRuleObject6').analyticRuleVersion6)]",
+ "location": "[parameters('workspace-location')]",
+ "tags": {
+ "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
+ "hidden-sentinelContentType": "AnalyticsRule"
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject6').analyticRuleTemplateSpecName6)]"
+ ],
+ "properties": {
+ "description": "FlarePaste_AnalyticalRules Analytics Rule with template version 2.1.1",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
+ "apiVersion": "2023-02-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "Result found on code Snippet (paste) sharing platform",
+ "displayName": "Flare Paste result",
+ "enabled": false,
+ "query": "FireworkV2_CL\n| where source_s in (\"gist_github\",\"Pastebin\",\"driller_stackexchange\") and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "severity": "Medium",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "connectorId": "Flare",
+ "dataTypes": [
+ "FireworkV2_CL"
+ ]
+ }
+ ],
+ "tactics": [
+ "Reconnaissance"
+ ],
+ "techniques": [
+ "T1593"
+ ]
+ }
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]",
"properties": {
- "parentId": "[variables('playbookId1')]",
- "contentId": "[variables('_playbookContentId1')]",
- "kind": "Playbook",
- "version": "[variables('playbookVersion1')]",
+ "description": "Flare Analytics Rule 6",
+ "parentId": "[variables('analyticRuleObject6').analyticRuleId6]",
+ "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleObject6').analyticRuleVersion6]",
"source": {
"kind": "Solution",
"name": "Flare",
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Flare Integration Team",
+ "name": "Flare",
"email": "[variables('_email')]"
},
"support": {
"name": "Flare",
- "email": "contact@flare.io",
+ "email": "support@flare.io",
"tier": "Partner",
- "link": "https://flare.io/company/contact/"
+ "link": "https://flare.io/contact/"
}
}
}
- ],
- "metadata": {
- "title": "credential-warning",
- "description": "This playbook monitors all data received from Firework looking for leaked credentials (email:password combinations). When found, this playbook will send an email to the email address warning their password has been leaked, recommending appropriate measures if necessary. To learn more about how to connect Firework to Microsoft Sentinel, see the [API documentation](https://docs.flared.io/azure-sentinel-integration).",
- "lastUpdateTime": "2022-07-31T00:00:00Z",
- "releaseNotes": [
- {
- "version": "1.0.0",
- "title": "credential-warning",
- "notes": [
- "Initial version"
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/templateSpecs",
+ "apiVersion": "2022-02-01",
+ "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]",
+ "location": "[parameters('workspace-location')]",
+ "tags": {
+ "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
+ "hidden-sentinelContentType": "AnalyticsRule"
+ },
+ "properties": {
+ "description": "Flare Analytics Rule 7 with template",
+ "displayName": "Flare Analytics Rule template"
+ }
+ },
+ {
+ "type": "Microsoft.Resources/templateSpecs/versions",
+ "apiVersion": "2022-02-01",
+ "name": "[concat(variables('analyticRuleObject7').analyticRuleTemplateSpecName7,'/',variables('analyticRuleObject7').analyticRuleVersion7)]",
+ "location": "[parameters('workspace-location')]",
+ "tags": {
+ "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
+ "hidden-sentinelContentType": "AnalyticsRule"
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject7').analyticRuleTemplateSpecName7)]"
+ ],
+ "properties": {
+ "description": "FlareSourceCode_AnalyticalRules Analytics Rule with template version 2.1.1",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
+ "apiVersion": "2023-02-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "Result found on Code Sharing platform",
+ "displayName": "Flare Source Code found",
+ "enabled": false,
+ "query": "FireworkV2_CL\n| where source_s contains \"driller_github\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "severity": "Medium",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "connectorId": "Flare",
+ "dataTypes": [
+ "FireworkV2_CL"
+ ]
+ }
+ ],
+ "tactics": [
+ "Reconnaissance"
+ ],
+ "techniques": [
+ "T1593"
]
}
- ]
- }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]",
+ "properties": {
+ "description": "Flare Analytics Rule 7",
+ "parentId": "[variables('analyticRuleObject7').analyticRuleId7]",
+ "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleObject7').analyticRuleVersion7]",
+ "source": {
+ "kind": "Solution",
+ "name": "Flare",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Flare",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Flare",
+ "email": "support@flare.io",
+ "tier": "Partner",
+ "link": "https://flare.io/contact/"
+ }
+ }
+ }
+ ]
}
}
},
{
"type": "Microsoft.Resources/templateSpecs",
"apiVersion": "2022-02-01",
- "name": "[variables('workbookTemplateSpecName1')]",
+ "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Workbook"
+ "hidden-sentinelContentType": "AnalyticsRule"
},
"properties": {
- "description": "Flare Workbook with template",
- "displayName": "Flare workbook template"
+ "description": "Flare Analytics Rule 8 with template",
+ "displayName": "Flare Analytics Rule template"
}
},
{
"type": "Microsoft.Resources/templateSpecs/versions",
"apiVersion": "2022-02-01",
- "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]",
+ "name": "[concat(variables('analyticRuleObject8').analyticRuleTemplateSpecName8,'/',variables('analyticRuleObject8').analyticRuleVersion8)]",
"location": "[parameters('workspace-location')]",
"tags": {
"hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Workbook"
+ "hidden-sentinelContentType": "AnalyticsRule"
},
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]"
+ "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject8').analyticRuleTemplateSpecName8)]"
],
"properties": {
- "description": "FlareSystemsFireworkOverviewWorkbook with template version 2.1.0",
+ "description": "FlareSSLcert_AnalyticalRules Analytics Rule with template version 2.1.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('workbookVersion1')]",
+ "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.Insights/workbooks",
- "name": "[variables('workbookContentId1')]",
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
+ "apiVersion": "2023-02-01-preview",
+ "kind": "Scheduled",
"location": "[parameters('workspace-location')]",
- "kind": "shared",
- "apiVersion": "2021-08-01",
- "metadata": {
- "description": "Select the time range for this Overview."
- },
"properties": {
- "displayName": "[parameters('workbook1-name')]",
- "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Firework Logs by risk score\\n---\\n\\nThese are all your logs that came from Firework in the past 30 days, where each line represents a specific risk score\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Firework_CL\\n| make-series num=count() on timestamp_t from ago(30d) to now() step 8h by strcat(\\\"Risk Score \\\", tostring(toint(risk_score_d)))\\n| render timechart \",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Risk Score 2\",\"color\":\"turquoise\"},{\"seriesName\":\"Risk Score 3\",\"color\":\"yellow\"},{\"seriesName\":\"Risk Score 4\",\"color\":\"orange\"},{\"seriesName\":\"Risk Score 1\",\"color\":\"lightBlue\"}]}},\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"# Sources of all documents collected\\n\\nData per day for the last 30 days\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Firework_CL\\n| make-series num=count() on timestamp_t from ago(30d) to now() step 1d by source_name_s\\n| where isnotempty(source_name_s)\\n| render barchart \",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Firework_CL\\n| where timestamp_t >= ago(30d)\\n| summarize num=count() by source_name_s\\n| where notempty(source_name_s)\\n| render piechart \",\"size\":2,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 6\"},{\"type\":1,\"content\":{\"json\":\"# Total Leaked Credentials received\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Firework_CL\\n| where notempty(column_ifexists('data_new_leaks_s', ''))\\n| make-series Total_Leaked_Credentials=count() on timestamp_t from ago(30d) to now() step 8h \\n| render timechart\",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Total_Leaked_Credentials\",\"color\":\"redBright\"}]}},\"name\":\"query - 4\"}],\"fromTemplateId\":\"sentinel-FireworkWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
- "version": "1.0",
- "sourceId": "[variables('workspaceResourceId')]",
- "category": "sentinel"
+ "description": "SSL Certificate registration found",
+ "displayName": "Flare SSL Certificate result",
+ "enabled": false,
+ "query": "FireworkV2_CL\n| where source_s contains \"certstream\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n",
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "severity": "Medium",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "connectorId": "Flare",
+ "dataTypes": [
+ "FireworkV2_CL"
+ ]
+ }
+ ],
+ "tactics": [
+ "ResourceDevelopment"
+ ],
+ "techniques": [
+ "T1583"
+ ]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]",
"properties": {
- "description": "@{workbookKey=FireworkWorkbook; logoFileName=FlareSystems.svg; description=Select the time range for this Overview.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=FlareSystemsFirework; templateRelativePath=FlareSystemsFireworkOverview.json; subtitle=; provider=Flare Systems}.description",
- "parentId": "[variables('workbookId1')]",
- "contentId": "[variables('_workbookContentId1')]",
- "kind": "Workbook",
- "version": "[variables('workbookVersion1')]",
+ "description": "Flare Analytics Rule 8",
+ "parentId": "[variables('analyticRuleObject8').analyticRuleId8]",
+ "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleObject8').analyticRuleVersion8]",
"source": {
"kind": "Solution",
"name": "Flare",
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Flare Integration Team",
+ "name": "Flare",
"email": "[variables('_email')]"
},
"support": {
"name": "Flare",
- "email": "contact@flare.io",
+ "email": "support@flare.io",
"tier": "Partner",
- "link": "https://flare.io/company/contact/"
- },
- "dependencies": {
- "operator": "AND",
- "criteria": [
- {
- "contentId": "Firework_CL",
- "kind": "DataType"
- },
- {
- "contentId": "FlareSystemsFirework",
- "kind": "DataConnector"
- }
- ]
+ "link": "https://flare.io/contact/"
}
}
}
@@ -1832,9 +1428,9 @@
"apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "2.1.0",
+ "version": "2.1.1",
"kind": "Solution",
- "contentSchemaVersion": "2.0.0",
+ "contentSchemaVersion": "3.0.0",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
@@ -1843,77 +1439,72 @@
"sourceId": "[variables('_solutionId')]"
},
"author": {
- "name": "Flare Integration Team",
+ "name": "Flare",
"email": "[variables('_email')]"
},
"support": {
"name": "Flare",
- "email": "contact@flare.io",
+ "email": "support@flare.io",
"tier": "Partner",
- "link": "https://flare.io/company/contact/"
+ "link": "https://flare.io/contact/"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"kind": "DataConnector",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "version": "[variables('dataConnectorVersion1')]"
+ "contentId": "[variables('_dataConnectorContentIdConnections1')]",
+ "version": "[variables('dataConnectorCCPVersion')]"
},
{
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId1')]",
- "version": "[variables('analyticRuleVersion1')]"
+ "kind": "Workbook",
+ "contentId": "[variables('_workbookContentId1')]",
+ "version": "[variables('workbookVersion1')]"
},
{
- "kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId2')]",
- "version": "[variables('analyticRuleVersion2')]"
+ "kind": "Playbook",
+ "contentId": "[variables('_credential-warning')]",
+ "version": "[variables('playbookVersion1')]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId3')]",
- "version": "[variables('analyticRuleVersion3')]"
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId4')]",
- "version": "[variables('analyticRuleVersion4')]"
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId5')]",
- "version": "[variables('analyticRuleVersion5')]"
+ "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
+ "version": "[variables('analyticRuleObject3').analyticRuleVersion3]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId6')]",
- "version": "[variables('analyticRuleVersion6')]"
+ "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
+ "version": "[variables('analyticRuleObject4').analyticRuleVersion4]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId7')]",
- "version": "[variables('analyticRuleVersion7')]"
+ "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
+ "version": "[variables('analyticRuleObject5').analyticRuleVersion5]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId8')]",
- "version": "[variables('analyticRuleVersion8')]"
+ "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
+ "version": "[variables('analyticRuleObject6').analyticRuleVersion6]"
},
{
"kind": "AnalyticsRule",
- "contentId": "[variables('analyticRulecontentId9')]",
- "version": "[variables('analyticRuleVersion9')]"
- },
- {
- "kind": "Playbook",
- "contentId": "[variables('_credential-warning')]",
- "version": "[variables('playbookVersion1')]"
+ "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
+ "version": "[variables('analyticRuleObject7').analyticRuleVersion7]"
},
{
- "kind": "Workbook",
- "contentId": "[variables('_workbookContentId1')]",
- "version": "[variables('workbookVersion1')]"
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
+ "version": "[variables('analyticRuleObject8').analyticRuleVersion8]"
}
]
},
diff --git a/Solutions/Flare/Package/testParameters.json b/Solutions/Flare/Package/testParameters.json
new file mode 100644
index 00000000000..374de0c2010
--- /dev/null
+++ b/Solutions/Flare/Package/testParameters.json
@@ -0,0 +1,46 @@
+{
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ },
+ "resourceGroupName": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().name]",
+ "metadata": {
+ "description": "resource group name where Microsoft Sentinel is setup"
+ }
+ },
+ "subscription": {
+ "type": "string",
+ "defaultValue": "[last(split(subscription().id, '/'))]",
+ "metadata": {
+ "description": "subscription id where Microsoft Sentinel is setup"
+ }
+ },
+ "workbook1-name": {
+ "type": "string",
+ "defaultValue": "FlareSystemsFirework",
+ "minLength": 1,
+ "metadata": {
+ "description": "Name for the workbook"
+ }
+ }
+}
diff --git a/Solutions/Flare/ReleaseNotes.md b/Solutions/Flare/ReleaseNotes.md
new file mode 100644
index 00000000000..15ea86dc510
--- /dev/null
+++ b/Solutions/Flare/ReleaseNotes.md
@@ -0,0 +1,15 @@
+# Release Notes
+
+Release notes are available starting from version 2.2.0.
+Earlier versions did not have published release notes.
+
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+| ----------- | ------------------------------ | ------------------------------------------------------------------------- |
+| 3.0.0 | 15-12-2024 | New CFF connector that replaces deprecated Rest API connector. |
+| | | New Polling config for CFF connector. |
+| | | New DCR config for CFF connector. |
+| | | Added Table definition for FireworkV2_CL. |
+| | | Fixed Analytic Rules to handle missing columns using `column_ifexists()`. |
+| | | Added `ReleaseNotes.md` file. |
+| 1.0.0 | 21-10-2021 | Initial Solution Release. |
+
diff --git a/Solutions/Flare/SolutionMetadata.json b/Solutions/Flare/SolutionMetadata.json
index c920dfbc8fb..d9fed00dd0a 100644
--- a/Solutions/Flare/SolutionMetadata.json
+++ b/Solutions/Flare/SolutionMetadata.json
@@ -9,8 +9,8 @@
},
"support": {
"name": "Flare",
- "email": "contact@flare.io",
+ "email": "support@flare.io",
"tier": "Partner",
- "link": "https://flare.io/company/contact/"
+ "link": "https://flare.io/contact/"
}
-}
\ No newline at end of file
+}
diff --git a/Solutions/Flare/Workbooks/FlareSystemsFireworkOverview.json b/Solutions/Flare/Workbooks/FlareSystemsFireworkOverview.json
index ea61c83700a..099bc1c856b 100644
--- a/Solutions/Flare/Workbooks/FlareSystemsFireworkOverview.json
+++ b/Solutions/Flare/Workbooks/FlareSystemsFireworkOverview.json
@@ -12,7 +12,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "Firework_CL\n| make-series num=count() on timestamp_t from ago(30d) to now() step 8h by strcat(\"Risk Score \", tostring(toint(risk_score_d)))\n| render timechart ",
+ "query": "FireworkV2_CL\n| make-series num=count() on timestamp_t from ago(30d) to now() step 8h by strcat(\"Risk Score \", tostring(toint(risk_score_d)))\n| render timechart ",
"size": 0,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@@ -50,7 +50,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "Firework_CL\n| make-series num=count() on timestamp_t from ago(30d) to now() step 1d by source_name_s\n| where isnotempty(source_name_s)\n| render barchart ",
+ "query": "FireworkV2_CL\n| make-series num=count() on timestamp_t from ago(30d) to now() step 1d by source_name_s\n| where isnotempty(source_name_s)\n| render barchart ",
"size": 0,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
@@ -61,7 +61,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "Firework_CL\n| where timestamp_t >= ago(30d)\n| summarize num=count() by source_name_s\n| where notempty(source_name_s)\n| render piechart ",
+ "query": "FireworkV2_CL\n| where timestamp_t >= ago(30d)\n| summarize num=count() by source_name_s\n| where notempty(source_name_s)\n| render piechart ",
"size": 2,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
@@ -79,7 +79,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "Firework_CL\n| where notempty(column_ifexists('data_new_leaks_s', ''))\n| make-series Total_Leaked_Credentials=count() on timestamp_t from ago(30d) to now() step 8h \n| render timechart",
+ "query": "FireworkV2_CL\n| where notempty(column_ifexists('data_new_leaks_s', ''))\n| make-series Total_Leaked_Credentials=count() on timestamp_t from ago(30d) to now() step 8h \n| render timechart",
"size": 0,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",