From 1682108439cd55e75fb9162ef51b43b776cb3e83 Mon Sep 17 00:00:00 2001 From: "jean-charles.verdier" Date: Mon, 15 Dec 2025 12:58:43 -0500 Subject: [PATCH] flare solution 3.1.0 - replaced Rest API collector with CCF collector - new Table definition - new DCR for CFF collector - new Polling configuration for CFF collector --- .../Analytic Rules/FlareCloudBucket.yaml | 8 +- .../Analytic Rules/FlareCredentialLeaks.yaml | 8 +- .../Flare/Analytic Rules/FlareDarkweb.yaml | 23 - Solutions/Flare/Analytic Rules/FlareDork.yaml | 8 +- Solutions/Flare/Analytic Rules/FlareHost.yaml | 8 +- .../Analytic Rules/FlareInfectedDevice.yaml | 8 +- .../Flare/Analytic Rules/FlarePaste.yaml | 8 +- .../Flare/Analytic Rules/FlareSSLcert.yaml | 8 +- .../Flare/Analytic Rules/FlareSourceCode.yaml | 8 +- ...nnector_REST_API_FlareSystemsFirework.json | 132 - .../FlareFireworkEventLogs_DCR.json | 167 ++ .../FlareFireworkEventLogs_PollingConfig.json | 27 + .../FlareFireworkEventLogs_Table.json | 223 ++ ...FireworkEventLogs_connectorDefinition.json | 164 ++ .../Data/Solution_FlareSystemsFirework.json | 11 +- Solutions/Flare/Package/3.0.0.zip | Bin 0 -> 15190 bytes .../Flare/Package/createUiDefinition.json | 50 +- Solutions/Flare/Package/mainTemplate.json | 2133 +++++++---------- Solutions/Flare/Package/testParameters.json | 46 + Solutions/Flare/ReleaseNotes.md | 15 + Solutions/Flare/SolutionMetadata.json | 6 +- .../FlareSystemsFireworkOverview.json | 8 +- 22 files changed, 1566 insertions(+), 1503 deletions(-) delete mode 100644 Solutions/Flare/Analytic Rules/FlareDarkweb.yaml delete mode 100644 Solutions/Flare/Data Connectors/Connector_REST_API_FlareSystemsFirework.json create mode 100644 Solutions/Flare/Data Connectors/FlareFireworkEventLogs_ccp/FlareFireworkEventLogs_DCR.json create mode 100644 Solutions/Flare/Data Connectors/FlareFireworkEventLogs_ccp/FlareFireworkEventLogs_PollingConfig.json create mode 100644 Solutions/Flare/Data Connectors/FlareFireworkEventLogs_ccp/FlareFireworkEventLogs_Table.json create mode 100644 Solutions/Flare/Data Connectors/FlareFireworkEventLogs_ccp/FlareFireworkEventLogs_connectorDefinition.json create mode 100644 Solutions/Flare/Package/3.0.0.zip create mode 100644 Solutions/Flare/Package/testParameters.json create mode 100644 Solutions/Flare/ReleaseNotes.md diff --git a/Solutions/Flare/Analytic Rules/FlareCloudBucket.yaml b/Solutions/Flare/Analytic Rules/FlareCloudBucket.yaml index 01bd158a27b..5d3ef97d353 100644 --- a/Solutions/Flare/Analytic Rules/FlareCloudBucket.yaml +++ b/Solutions/Flare/Analytic Rules/FlareCloudBucket.yaml @@ -7,7 +7,7 @@ status: Available requiredDataConnectors: - connectorId: Flare dataTypes: - - Firework_CL + - FireworkV2_CL queryFrequency: 1h queryPeriod: 1h triggerOperator: gt @@ -17,7 +17,7 @@ tactics: relevantTechniques: - T1593 query: | - Firework_CL + FireworkV2_CL | where source_s contains "Grayhat_warfare" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5") -version: 1.0.1 -kind: Scheduled \ No newline at end of file +version: 2.0.0 +kind: Scheduled diff --git a/Solutions/Flare/Analytic Rules/FlareCredentialLeaks.yaml b/Solutions/Flare/Analytic Rules/FlareCredentialLeaks.yaml index 4f50f737d69..37c2309f558 100644 --- a/Solutions/Flare/Analytic Rules/FlareCredentialLeaks.yaml +++ b/Solutions/Flare/Analytic Rules/FlareCredentialLeaks.yaml @@ -7,7 +7,7 @@ status: Available requiredDataConnectors: - connectorId: Flare dataTypes: - - Firework_CL + - FireworkV2_CL queryFrequency: 1h queryPeriod: 1h triggerOperator: gt @@ -17,7 +17,7 @@ tactics: relevantTechniques: - T1110 query: | - Firework_CL + FireworkV2_CL | where notempty(data_new_leaks_s) and source_s != 'stealer_logs_samples' -version: 1.0.2 -kind: Scheduled \ No newline at end of file +version: 2.0.0 +kind: Scheduled diff --git a/Solutions/Flare/Analytic Rules/FlareDarkweb.yaml b/Solutions/Flare/Analytic Rules/FlareDarkweb.yaml deleted file mode 100644 index 39128e15e0c..00000000000 --- a/Solutions/Flare/Analytic Rules/FlareDarkweb.yaml +++ /dev/null @@ -1,23 +0,0 @@ -id: 9cb7c337-f173-4af6-b0e8-b6b7552d762d -name: Flare Darkweb result -description: | - 'Result found on a darkweb platform' -severity: Medium -status: Available -requiredDataConnectors: - - connectorId: Flare - dataTypes: - - Firework_CL -queryFrequency: 1h -queryPeriod: 1h -triggerOperator: gt -triggerThreshold: 0 -tactics: - - Reconnaissance -relevantTechniques: - - T1597 -query: | - Firework_CL - | where risk_reasons_s contains "CYBERCRIME_SOURCE" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5") -version: 1.0.1 -kind: Scheduled \ No newline at end of file diff --git a/Solutions/Flare/Analytic Rules/FlareDork.yaml b/Solutions/Flare/Analytic Rules/FlareDork.yaml index 43a16a7f97f..8420d20e8ac 100644 --- a/Solutions/Flare/Analytic Rules/FlareDork.yaml +++ b/Solutions/Flare/Analytic Rules/FlareDork.yaml @@ -7,7 +7,7 @@ status: Available requiredDataConnectors: - connectorId: Flare dataTypes: - - Firework_CL + - FireworkV2_CL queryFrequency: 1h queryPeriod: 1h triggerOperator: gt @@ -17,7 +17,7 @@ tactics: relevantTechniques: - T1593 query: | - Firework_CL + FireworkV2_CL | where source_s contains "google_search" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5") -version: 1.0.1 -kind: Scheduled \ No newline at end of file +version: 2.0.0 +kind: Scheduled diff --git a/Solutions/Flare/Analytic Rules/FlareHost.yaml b/Solutions/Flare/Analytic Rules/FlareHost.yaml index 69c5b24fd50..59f06789315 100644 --- a/Solutions/Flare/Analytic Rules/FlareHost.yaml +++ b/Solutions/Flare/Analytic Rules/FlareHost.yaml @@ -7,7 +7,7 @@ status: Available requiredDataConnectors: - connectorId: Flare dataTypes: - - Firework_CL + - FireworkV2_CL queryFrequency: 1h queryPeriod: 1h triggerOperator: gt @@ -17,7 +17,7 @@ tactics: relevantTechniques: - T1596 query: | - Firework_CL + FireworkV2_CL | where source_s contains "driller_shodan" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5") -version: 1.0.1 -kind: Scheduled \ No newline at end of file +version: 2.0.0 +kind: Scheduled diff --git a/Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml b/Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml index 3d5cc7c7709..d19c0371c46 100644 --- a/Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml +++ b/Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml @@ -7,7 +7,7 @@ status: Available requiredDataConnectors: - connectorId: Flare dataTypes: - - Firework_CL + - FireworkV2_CL queryFrequency: 1h queryPeriod: 1h triggerOperator: gt @@ -17,7 +17,7 @@ tactics: relevantTechniques: - T1555 query: | - Firework_CL + FireworkV2_CL | where category_name_s contains "Infected Device" or source_s=="genesis_market" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5") -version: 1.0.1 -kind: Scheduled \ No newline at end of file +version: 2.0.0 +kind: Scheduled diff --git a/Solutions/Flare/Analytic Rules/FlarePaste.yaml b/Solutions/Flare/Analytic Rules/FlarePaste.yaml index bd5449ff09b..2f70dc15703 100644 --- a/Solutions/Flare/Analytic Rules/FlarePaste.yaml +++ b/Solutions/Flare/Analytic Rules/FlarePaste.yaml @@ -7,7 +7,7 @@ status: Available requiredDataConnectors: - connectorId: Flare dataTypes: - - Firework_CL + - FireworkV2_CL queryFrequency: 1h queryPeriod: 1h triggerOperator: gt @@ -17,7 +17,7 @@ tactics: relevantTechniques: - T1593 query: | - Firework_CL + FireworkV2_CL | where source_s in ("gist_github","Pastebin","driller_stackexchange") and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5") -version: 1.0.1 -kind: Scheduled \ No newline at end of file +version: 2.0.0 +kind: Scheduled diff --git a/Solutions/Flare/Analytic Rules/FlareSSLcert.yaml b/Solutions/Flare/Analytic Rules/FlareSSLcert.yaml index b11c5d47b21..5a174d4f0c5 100644 --- a/Solutions/Flare/Analytic Rules/FlareSSLcert.yaml +++ b/Solutions/Flare/Analytic Rules/FlareSSLcert.yaml @@ -7,7 +7,7 @@ status: Available requiredDataConnectors: - connectorId: Flare dataTypes: - - Firework_CL + - FireworkV2_CL queryFrequency: 1h queryPeriod: 1h triggerOperator: gt @@ -17,7 +17,7 @@ tactics: relevantTechniques: - T1583 query: | - Firework_CL + FireworkV2_CL | where source_s contains "certstream" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5") -version: 1.0.1 -kind: Scheduled \ No newline at end of file +version: 2.0.0 +kind: Scheduled diff --git a/Solutions/Flare/Analytic Rules/FlareSourceCode.yaml b/Solutions/Flare/Analytic Rules/FlareSourceCode.yaml index adec624539d..bde6f625d60 100644 --- a/Solutions/Flare/Analytic Rules/FlareSourceCode.yaml +++ b/Solutions/Flare/Analytic Rules/FlareSourceCode.yaml @@ -7,7 +7,7 @@ status: Available requiredDataConnectors: - connectorId: Flare dataTypes: - - Firework_CL + - FireworkV2_CL queryFrequency: 1h queryPeriod: 1h triggerOperator: gt @@ -17,7 +17,7 @@ tactics: relevantTechniques: - T1593 query: | - Firework_CL + FireworkV2_CL | where source_s contains "driller_github" and (risk_score_d == "3" or risk_score_d == "4" or risk_score_d == "5") -version: 1.0.1 -kind: Scheduled \ No newline at end of file +version: 2.0.0 +kind: Scheduled diff --git a/Solutions/Flare/Data Connectors/Connector_REST_API_FlareSystemsFirework.json b/Solutions/Flare/Data Connectors/Connector_REST_API_FlareSystemsFirework.json deleted file mode 100644 index a02378a4b9e..00000000000 --- a/Solutions/Flare/Data Connectors/Connector_REST_API_FlareSystemsFirework.json +++ /dev/null @@ -1,132 +0,0 @@ -{ - "id": "Flare", - "title": "Flare", - "publisher": "Flare", - "descriptionMarkdown": "[Flare](https://flare.systems/platform/) connector allows you to receive data and intelligence from Flare on Microsoft Sentinel.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Firework_CL", - "baseQuery": "Firework_CL" - } - ], - "sampleQueries": [ - { - "description": "Flare Activities -- All", - "query": "Firework_CL\n | sort by TimeGenerated desc" - } - ], - "dataTypes": [ - { - "name": "Firework_CL", - "lastDataReceivedQuery": "Firework_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "Firework_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "name": "Required Flare permissions", - "description": "only Flare organization administrators may configure the Microsoft Sentinel integration." - } - ] - }, - "instructionSteps": [ - { - "title": "1. Creating an Alert Channel for Microsoft Sentinel", - "description": "", - "innerSteps": [ - { - "description": "As an organization administrator, authenticate on [Flare](https://app.flare.systems) and access the [team page](https://app.flare.systems#/team) to create a new alert channel." - }, - { - "description": "Click on 'Create a new alert channel' and select 'Microsoft Sentinel'. Enter your Shared Key And WorkspaceID. Save the Alert Channel. \n For more help and details, see our [Azure configuration documentation](https://docs.microsoft.com/azure/sentinel/connect-data-sources).", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Workspace ID", - "value": "{0}" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "fillWith": [ - "PrimaryKey" - ], - "label": "Primary key", - "value": "{0} " - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - { - "title": "2. Associating your alert channel to an alert feed", - "innerSteps": [ - { - "description": "At this point, you may configure alerts to be sent to Microsoft Sentinel the same way that you would configure regular email alerts." - }, - { - "description": "For a more detailed guide, refer to the Flare documentation." - } - ] - } - ], - "metadata": { - "id": "c3f2c642-54a5-49b4-b135-e05506720765", - "version": "1.0.0", - "kind": "dataConnector", - "source": { - "kind": "solution", - "name": "Flare" - }, - "author": { - "name": "Flare" - }, - "support": { - "tier": "developer", - "name": "Flare", - "email": "contact@flare.systems", - "link": "https://flare.systems/company/contact/" - } - } -} \ No newline at end of file diff --git a/Solutions/Flare/Data Connectors/FlareFireworkEventLogs_ccp/FlareFireworkEventLogs_DCR.json b/Solutions/Flare/Data Connectors/FlareFireworkEventLogs_ccp/FlareFireworkEventLogs_DCR.json new file mode 100644 index 00000000000..4cf49b9bda2 --- /dev/null +++ b/Solutions/Flare/Data Connectors/FlareFireworkEventLogs_ccp/FlareFireworkEventLogs_DCR.json @@ -0,0 +1,167 @@ +{ + "name": "FireworkCustomDCR", + "apiVersion": "2024-03-11", + "type": "Microsoft.Insights/dataCollectionRules", + "location": "[parameters('workspace-location')]", + "properties": { + "streamDeclarations": { + "Custom-FireworkEventsStream": { + "columns": [ + { + "name": "timestamp", + "type": "string" + }, + { + "name": "timestamp_formatted", + "type": "string" + }, + { + "name": "first_crawled_at", + "type": "string" + }, + { + "name": "materialized_at", + "type": "string" + }, + { + "name": "url", + "type": "string" + }, + { + "name": "event_title", + "type": "string" + }, + { + "name": "event_type", + "type": "string" + }, + { + "name": "source", + "type": "string" + }, + { + "name": "source_name", + "type": "string" + }, + { + "name": "id", + "type": "string" + }, + { + "name": "keyword", + "type": "string" + }, + { + "name": "category_name", + "type": "string" + }, + { + "name": "content_preview", + "type": "dynamic" + }, + { + "name": "content", + "type": "string" + }, + { + "name": "alert_content", + "type": "string" + }, + { + "name": "highlights", + "type": "dynamic" + }, + { + "name": "risk", + "type": "dynamic" + }, + { + "name": "tags", + "type": "dynamic" + }, + { + "name": "related", + "type": "dynamic" + }, + { + "name": "user_risk_score", + "type": "int" + }, + { + "name": "user_notes", + "type": "string" + }, + { + "name": "data", + "type": "dynamic" + }, + { + "name": "uid", + "type": "string" + }, + { + "name": "external_url", + "type": "string" + }, + { + "name": "identifiers", + "type": "dynamic" + }, + { + "name": "sort", + "type": "string" + }, + { + "name": "asset_uuids", + "type": "dynamic" + }, + { + "name": "code", + "type": "dynamic" + }, + { + "name": "author_id", + "type": "string" + }, + { + "name": "project_name", + "type": "string" + }, + { + "name": "sha", + "type": "string" + }, + { + "name": "actor", + "type": "string" + }, + { + "name": "victim_name", + "type": "string" + } + ] + } + }, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[variables('workspaceResourceId')]", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-FireworkEventsStream" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source\n| extend\n TimeGenerated = iff(not(isempty(timestamp)), todatetime(timestamp), now()),\n EventVendor = \"Flare\",\n EventProduct = \"Firework\",\n EventSchemaVersion = \"0.1\",\n EventSeverity = case(\n toint(risk.score) == 1, \"Informational\",\n toint(risk.score) == 2, \"Low\",\n toint(risk.score) == 3, \"Medium\",\n toint(risk.score) == 4, \"High\",\n toint(risk.score) == 5, \"Critical\",\n \"Informational\"\n ),\n EventOriginalUid = uid,\n EventOriginalType = event_type,\n RiskScore = toint(risk.score),\n Url = url\n", + "outputStream": "Custom-FireworkV2_CL" + } + ], + "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]" + } +} diff --git a/Solutions/Flare/Data Connectors/FlareFireworkEventLogs_ccp/FlareFireworkEventLogs_PollingConfig.json b/Solutions/Flare/Data Connectors/FlareFireworkEventLogs_ccp/FlareFireworkEventLogs_PollingConfig.json new file mode 100644 index 00000000000..730872c6045 --- /dev/null +++ b/Solutions/Flare/Data Connectors/FlareFireworkEventLogs_ccp/FlareFireworkEventLogs_PollingConfig.json @@ -0,0 +1,27 @@ +{ + "name": "FireworkPushConnectorPolling", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.SecurityInsights/dataConnectors", + "kind": "Push", + "properties": { + "connectorDefinitionName": "FireworkPush", + "dcrConfig": { + "streamName": "Custom-FireworkEventsStream", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "auth": { + "type": "Push", + "AppId": "[[parameters('auth').appId]", + "ServicePrincipalId": "[[parameters('auth').servicePrincipalId]" + }, + "request": { + "RetryCount": 1 + }, + "response": { + "eventsJsonPaths": [ + "$.items" + ] + } + } +} diff --git a/Solutions/Flare/Data Connectors/FlareFireworkEventLogs_ccp/FlareFireworkEventLogs_Table.json b/Solutions/Flare/Data Connectors/FlareFireworkEventLogs_ccp/FlareFireworkEventLogs_Table.json new file mode 100644 index 00000000000..4b0c5de3018 --- /dev/null +++ b/Solutions/Flare/Data Connectors/FlareFireworkEventLogs_ccp/FlareFireworkEventLogs_Table.json @@ -0,0 +1,223 @@ + +{ + "apiVersion": "2022-10-01", + "name": "FireworkV2_CL", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "properties": { + "plan": "Analytics", + "schema": { + "name": "FireworkV2_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime", + "description": "Timestamp when the event was ingested (ASIM)" + }, + { + "name": "EventVendor", + "type": "string", + "description": "Event vendor name - Flare (ASIM)" + }, + { + "name": "EventProduct", + "type": "string", + "description": "Event product name (ASIM)" + }, + { + "name": "EventSchemaVersion", + "type": "string", + "description": "Schema version (ASIM)" + }, + { + "name": "EventSeverity", + "type": "string", + "description": "Severity level: Informational, Low, Medium, High, Critical (ASIM)" + }, + { + "name": "EventOriginalUid", + "type": "string", + "description": "Original unique identifier (ASIM)" + }, + { + "name": "EventOriginalType", + "type": "string", + "description": "Original event type (ASIM)" + }, + { + "name": "RiskScore", + "type": "int", + "description": "Extracted risk score (1-5)" + }, + { + "name": "Url", + "type": "string", + "description": "Source URL (ASIM)" + }, + { + "name": "timestamp", + "type": "string", + "description": "Original timestamp from Flare" + }, + { + "name": "timestamp_formatted", + "type": "string", + "description": "Formatted timestamp string" + }, + { + "name": "first_crawled_at", + "type": "string", + "description": "When the item was first crawled" + }, + { + "name": "materialized_at", + "type": "string", + "description": "When the item was materialized" + }, + { + "name": "url", + "type": "string", + "description": "URL of the source" + }, + { + "name": "event_title", + "type": "string", + "description": "Title of the event" + }, + { + "name": "event_type", + "type": "string", + "description": "Type of the search item" + }, + { + "name": "source", + "type": "string", + "description": "Source identifier" + }, + { + "name": "source_name", + "type": "string", + "description": "Human-readable source name" + }, + { + "name": "id", + "type": "string", + "description": "Unique identifier of the item" + }, + { + "name": "keyword", + "type": "string", + "description": "Matched keyword" + }, + { + "name": "category_name", + "type": "string", + "description": "Category of the event" + }, + { + "name": "content_preview", + "type": "dynamic", + "description": "Preview of the content" + }, + { + "name": "content", + "type": "string", + "description": "Full content of the event" + }, + { + "name": "alert_content", + "type": "string", + "description": "Content formatted for alerting" + }, + { + "name": "highlights", + "type": "dynamic", + "description": "Highlighted matches in the content" + }, + { + "name": "risk", + "type": "dynamic", + "description": "Risk object containing score" + }, + { + "name": "tags", + "type": "dynamic", + "description": "List of tags" + }, + { + "name": "related", + "type": "dynamic", + "description": "List of related URLs" + }, + { + "name": "user_risk_score", + "type": "int", + "description": "User-assigned risk score override" + }, + { + "name": "user_notes", + "type": "string", + "description": "User notes on the event" + }, + { + "name": "data", + "type": "dynamic", + "description": "Additional data payload" + }, + { + "name": "uid", + "type": "string", + "description": "Unique identifier (UID format)" + }, + { + "name": "external_url", + "type": "string", + "description": "External URL reference" + }, + { + "name": "identifiers", + "type": "dynamic", + "description": "Array of matched identifiers [{id, type, name, query, group}]" + }, + { + "name": "sort", + "type": "string" + }, + { + "name": "asset_uuids", + "type": "dynamic", + "description": "List of related asset UUIDs" + }, + { + "name": "code", + "type": "dynamic", + "description": "Code metadata" + }, + { + "name": "author_id", + "type": "string", + "description": "Author identifier" + }, + { + "name": "project_name", + "type": "string", + "description": "Project name (for code-related events)" + }, + { + "name": "sha", + "type": "string", + "description": "Commit SHA (for code-related events)" + }, + { + "name": "actor", + "type": "string", + "description": "Actor/threat actor name" + }, + { + "name": "victim_name", + "type": "string", + "description": "Victim name if applicable" + } + ] + } + } +} diff --git a/Solutions/Flare/Data Connectors/FlareFireworkEventLogs_ccp/FlareFireworkEventLogs_connectorDefinition.json b/Solutions/Flare/Data Connectors/FlareFireworkEventLogs_ccp/FlareFireworkEventLogs_connectorDefinition.json new file mode 100644 index 00000000000..aedb68627c7 --- /dev/null +++ b/Solutions/Flare/Data Connectors/FlareFireworkEventLogs_ccp/FlareFireworkEventLogs_connectorDefinition.json @@ -0,0 +1,164 @@ +{ + "name": "FireworkPush", + "apiVersion": "2025-09-01", + "type": "Microsoft.SecurityInsights/dataConnectorDefinitions", + "kind": "Customizable", + "location": "[parameters('workspace-location')]", + "properties": { + "connectorUiConfig": { + "availability": { + "status": 1 + }, + "connectivityCriteria": [ + { + "type": "IsConnectedQuery", + "value": [ + "FireworkV2_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)" + ] + } + ], + "dataTypes": [ + { + "name": "FireworkV2_CL", + "lastDataReceivedQuery": "FireworkV2_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "descriptionMarkdown": "The [Flare](https://flare.io) connector provides the capability to ingest threat intelligence and exposure data from Flare into Microsoft Sentinel. Flare identifies your company's digital assets made publicly available due to human error or malicious attacks, including leaked credentials, exposed cloud buckets, darkweb mentions, and more.", + "graphQueriesTableName": "FireworkV2_CL", + "graphQueries": [ + { + "metricName": "Total Flare Events", + "legend": "FireworkV2_CL", + "baseQuery": "FireworkV2_CL" + } + ], + "sampleQueries": [ + { + "description": "Flare - All Events", + "query": "{{graphQueriesTableName}} \n | sort by TimeGenerated desc" + }, + { + "description": "Flare - High Risk Events (Score >= 4)", + "query": "{{graphQueriesTableName}} \n | where RiskScore >= 4\n | project TimeGenerated, EventSeverity, EventType, ['title'], source_name, RiskScore, Url\n | sort by TimeGenerated desc" + }, + { + "description": "Flare - Credential Leaks", + "query": "{{graphQueriesTableName}} \n | where EventType == \"CredentialLeak\"\n | project TimeGenerated, EventSeverity, ['title'], source_name, keyword, RiskScore\n | sort by TimeGenerated desc" + }, + { + "description": "Flare - Events by Severity", + "query": "{{graphQueriesTableName}} \n | summarize Count = count() by EventSeverity\n | order by Count desc" + }, + { + "description": "Flare - Events by Type", + "query": "{{graphQueriesTableName}} \n | summarize Count = count() by EventType\n | order by Count desc" + } + ], + "id": "FireworkPush", + "instructionSteps": [ + { + "title": "1. Create ARM Resources and Provide the Required Permissions", + "description": "This connector enables Flare to send threat exposure data to Microsoft Sentinel. When data forwarding is enabled in Flare, raw event data is sent securely to the Microsoft Sentinel Ingestion API.", + "instructions": [ + { + "type": "Markdown", + "parameters": { + "content": "#### Automated Configuration and Secure Data Ingestion with Entra Application \nClicking on \"Deploy\" will create Log Analytics tables and a Data Collection Rule (DCR). It will then create an Entra application, link the DCR to it, and set the entered secret in the application. This setup enables data to be sent securely to the DCR using an Entra token." + } + }, + { + "parameters": { + "label": "Deploy Flare connector resources", + "applicationDisplayName": "Flare Connector Application" + }, + "type": "DeployPushConnectorButton" + } + ] + }, + { + "title": "2. Configure Flare to Send Logs to Microsoft Sentinel", + "description": "Use the following parameters to configure Flare to send logs to your workspace.", + "instructions": [ + { + "parameters": { + "label": "Entra App Registration Application ID", + "fillWith": [ + "ApplicationId" + ], + "placeholder": "Deploy push connector to get the App Registration Application ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "label": "Tenant ID (Directory ID)", + "fillWith": [ + "TenantId" + ] + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "label": "Entra App Registration Secret", + "fillWith": [ + "ApplicationSecret" + ], + "placeholder": "Deploy push connector to get the App Registration Secret" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "label": "Log Ingestion URL", + "fillWith": [ + "DataCollectionEndpoint", + "DataCollectionRuleId" + ], + "placeholder": "Deploy push connector to get the Data Collection Endpoint URI", + "value": "{0}/dataCollectionRules/{1}/streams/Custom-FireworkEventsStream?api-version=2023-01-01" + }, + "type": "CopyableLabel" + } + ] + }, + { + "title": "3. Configure Alert Channel in Flare", + "description": "As an organization administrator, authenticate on [Flare](https://app.flare.io) and access the [alerts page](https://app.flare.io/#/alerts?activeTab=alert-channels) to create a new alert channel. Select 'Microsoft Sentinel' and copy the above fields in the form. For more details, refer to the [Flare documentation](https://docs.flare.io).", + "instructions": [] + } + ], + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "Microsoft Entra", + "description": "Permission to create an app registration in Microsoft Entra ID." + }, + { + "name": "Microsoft Azure", + "description": "Permission to assign Monitoring Metrics Publisher role on data collection rule (DCR)." + }, + { + "name": "Flare", + "description": "Permission to configure Microsoft Sentinel integration in Flare." + } + ] + }, + "publisher": "Flare Systems", + "title": "Flare Push Connector" + } + } +} diff --git a/Solutions/Flare/Data/Solution_FlareSystemsFirework.json b/Solutions/Flare/Data/Solution_FlareSystemsFirework.json index db0b3858daf..1dfac5b28dc 100644 --- a/Solutions/Flare/Data/Solution_FlareSystemsFirework.json +++ b/Solutions/Flare/Data/Solution_FlareSystemsFirework.json @@ -1,10 +1,10 @@ { "Name": "Flare", - "Author": "Microsoft - support@microsoft.com", + "Author": "Flare - support@flare.io", "Logo": "", - "Description": "The Flare Systems [Firework](https://flare.systems/firework/) solution allows you to receive data and intelligence from Firework on Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs. \n\n a .[Azure Monitor HTTP Data Collector API ](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)", + "Description": "The Flare Systems [Firework](https://flare.io/platform/) solution allows you to receive data and intelligence from Firework on Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs. \n\n a .[Azure Monitor HTTP Data Collector API ](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)", "Data Connectors": [ - "Data Connectors/Connector_REST_API_FlareSystemsFirework.json" + "Data Connectors/FlareFireworkEventLogs_ccp/FlareFireworkEventLogs_connectorDefinition.json" ], "Workbooks": [ "Workbooks/FlareSystemsFireworkOverview.json" @@ -15,7 +15,6 @@ "Analytic Rules": [ "Analytic Rules/FlareCloudBucket.yaml", "Analytic Rules/FlareCredentialLeaks.yaml", - "Analytic Rules/FlareDarkweb.yaml", "Analytic Rules/FlareDork.yaml", "Analytic Rules/FlareHost.yaml", "Analytic Rules/FlareInfectedDevice.yaml", @@ -24,8 +23,8 @@ "Analytic Rules/FlareSSLcert.yaml" ], "BasePath": "C:\\GitHub\\azure-sentinel\\Solutions\\Flare", - "Version": "2.1.0", + "Version": "3.0.0", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": false -} \ No newline at end of file +} diff --git a/Solutions/Flare/Package/3.0.0.zip b/Solutions/Flare/Package/3.0.0.zip new file mode 100644 index 0000000000000000000000000000000000000000..b43bad902bb83d153e5bbe07c008be07bbffca99 GIT binary patch literal 15190 zcmZ|0V~{3I(5OA;4)4K^ZQHi39ox3e9ox2T+qUf;n`fT){q>zMPIq)ybZ2#TM#dEt zS(TOYQlMZcKtMoHK*%yAS{jG6U5U^@K3K8(IrT zTbr#vpEet!$lp7147)gb60ziD*6F>ijW=u7$h~d9lhb$cvHBvg<2?Ud)ptlySy<%G zIK;TfIiwzy5K~42*5Kb_0QR8`_pcjkdtRHMH(xdZzX8WM0qB|;=>vQ8zWZd-^-zGs zWz!y0%ujxjp>zz~mza-{K;;9}k)a!PqK21?3P7g)7>(MzZx-~#4(XR~WW4YFTcgUP z5xM+=YK?ntk^<8O9>+2q1jj#Ai-9EK^`xr1r9|`OToLO|p_f)jpj~juX*cChh?`dT z5nofz2YCJApgx~AdgBnt$BHYBFw$A>rlI2RT?sHz$Qe4y2D9cHBAWxNbc{v+_+)7z zQG3oqUr3_FWGR$^AdJ5rZsml=Aw5vVb8KpJ!7aOaQ8~J9ayf-~w4J}*Q8vy`V$kmd zpFF-5(GWa&*a4%z0){axYGJG*>6HXa!Bdc=?TeW~Qid4`PNA!?NEqk$5yMu#zdq

VQf~$Ed~{v6#6RVZPja?us?|}=fC(tA`KUzpf&qZ^chnu z2>h`USlCP)kI78TBBCS(q6((NJ7V*jBc)0xH3G57gHMIp%`1%-M0q7xqLD~t&Da5x z(}}Vc5+>7XT5t;n=BrizhDTo@k|_&lm?1`M5Cu&z=rKT2(1Lf7#)0&URX|>8B?VFM zCe;JeoMX+Oz{t5~0(xK&GYhq5Gnga?%R7xZm*OTC?5)HSu zJLe*Zl0;mLJpHwNJuf?I9og=LnnKSpabLYho>D83)C-SV&#bZz4=yVG>#s7-tkND( zP`JNH*6;d4V>AJCaq=61g0Y~YEcM@FIq(7TbACme;7&Da zm-t1R^ob=gZ?hL&N*=r_7CL+!@zT^Z2)o>XQ(V4+5z_z~OF;up4v}IKVw7^La>fm0 z8mzK?Bij2SSl?dK6iOk!PlqI{JeYQPeOP(swZ`xW7A+7r%&2iEKhr|TlmiwU!^s=lhWkm(C=4d8@*XydXt@~0N83WA@|vc{|0Y%0*&(e;cvO%O zu=gU7w=HM2Rlj>|QYB0Mn$jo)Cdd<)vlr|~2N1XP@8d%g%Sit6QX>*J_F6|1B+d$o z^hUTb%CF^8s0(3p3bgGh`5*1AP&%Crp#L#GYd?fP_xb9LI*OlGsc3*m={oKKpLx@x z0nM}Tl}wJM*9m%hIMpWc6~gS0#u51!OzHDUl!aaNp)OI8r0y<3!Ej96c~WaX488j+esMF#* z+hyf2`=S{#+&m~;SxSAY^TDkXEaqbY2{GxCjrzo*>d%IOICjv}t1{76nad#k+F^_%pz%of0gD@q z%bn5bNe$Ge=Rz0B9S^3Rmirs2G~GxmJzAy2!oOYp-hK6-&}${jVfz-ZQ|r*+twb8@ zDusdR_koDbHSG0G|Hd_FTwBXqt?%9=9XFZ8`}w0!O9%3#2)kp{9>j0vN|gcGK;oFH z2@sOVp$CXq{J~%4M9nOI%h7wJQ_8i7Bb%HIydq)l?)5%SRlv?2@-Yx-e5;QDBTL4} z+rZBf`97~txFZKoo<;|gMgfd%613zdYX3h9?y7=)(r5Ym+!NATmj4ENR3Ly8uC&Yx zMmg*yimGfV_|BQ{_RLHaY&%>ZBr-8#N*N0*03;bO<2;gcD&{26+(yc*j?nIL z@+)o1vTsub)gcv4FYnSPa9}C-Vy@@h>v>1+OhIhtO@jQ4p-d{-*B8bShVkaxoej2C zRuh=E>NmKp?afA=!_OWa;m^wxIT_R8k06$)Z)~bEtUNSOs`#u+FUioj$wNu5S|aEo z+MX0AMdPbWE3%1JC{in$bNMQ*8+*be3p_+YYy4q~@zH1V&McyF?G=`TtpyIwAliTK zmjj$V{&WTHZwERRSa-B-g8>gSS`#oGNm7jBkhoggr#SCO|G6f%w>C*SmQGw*048XZ zI?ybyRGfOVSwg(Z#Gr{98vN*InTNj^)Ks)ons(9HP`sST^a(sro3A35 z)}For6JWwnm=QS{+039?q*3U)N}SqB(T!|fTB=30pAa3SMQpJysS(^%-Lna8O_D~4 zZmsBQQKX&4Na9bGmqMDFLQU+jWSuBMl|7EuYh*pp#Sj&0REAtjjkJOgFsYRE@nCyO z*yTaU$)S+>9G9GUt{!{oehoG#snx{v9;t;L5i}-{ZqSQ1&TwX1)r9__U-i6FW}sI} z`&G6zMO?V1e8W%eugyTK)ei>u*aH({yVpO$<+4Xn&kRbVbPUbl0E3C#FdXB3JY1i)iemJMr!@ zJn2$CwyC{)w*{tRfjRboRqd;2;0>b8^UR$`q;j;ye>EE6^&~NUm3aiKd65itgY@yd zqxaEVDC4~lEIxtFjGq}Mr=O>8qwD#sHSEcnL+r~U-atS|vudgVK_!eNmQ!k+m5|t? zO-(hI>~m<|?e2Vb8rjA=(v^vp7~x{y$@ambbvlp29W|bD`By(jfnCt-H4N$^R`z`9 zPdN^^L@2v+xjFQ5K^3p*Y%uT8UeE+kn)12K1uQf#s5u+_3GUD)D~>PSbaTL>+fEGLd3Iv>s~kVs;N%9_h4xVPcSbaIp<%V~Dl zDK4=&mn zE`X5^Vb;4TI)L&1pfT)Ev~6_{ba|NjZ(NL=*B2kC);q=$ilkbVL=YkhMYWn*hQtDkW0e?qu_-k%Ow zE%hhgJ}}gd78ELR@uhMj;a&yeWZ^cM!j@waOX-xjb`XU2%-GUE@)7$7<=)BOjo$H9 z5cC7DxRZ9|W2}z0N5a@%PM}eu2ce?Rq3BS~Uj&&HX?xRDi)oS=VQL#2Zz)w6Pq#sn zVRS7wJC3r=*sM%DgHKn}yBA;6KE9^4|KfWM5#+BTCP5IS>K|?UK5965%y#s;%#fwth9c?0!F-V8pEsA-{d!fDi<6y3v+I3iaV}PePv)F(7~pAGxyKJfj(x7h8Bh zbit5&j&-&bPKwRX`q}&zD-WKA4dN}I2ARB#6z?C(=ZfL@O)1)gzZi!A>@OO8xR{fA z<)?n$L+~Xm%T+Ur|F%TJ=5{r?J$0vz44ti_Vrx&4LGhI z(Axj9gw5lF%I}T^>zJjCR|@!Yo_VQ)sug-8i2D|NRyvnPLLDW^+(ts*vSU>m+R4l< z1&O5mxL5eB!PE`nTzj$_X5k5789D13@PeF(y3%A+Anc7zmLL`^gDMfu^}&M%2>>Dl zi3|=R6yVy}y6<9kB+3Cp0SV5H@ai=*hlW(_j`y{%AeRV4i{(#HK1>kui#B+jd z$w8ByqMzH5u0{!`45loS;Yyd{JK!GP$HuPd-bON~wL~6*MmZPpT7k;sB2AeH6%Tr0 z+qU!a;i5SRf#D`$-8Qqbwv=uNZCR559#{Xi1eR_jvc$GA7`6oR{*nhAC)#v+A;wP* zA|wLL>Li!e%Btk)1&o87id(~!?{JP$Vt9}jMvX$sNy%G(qpE{ zwLV1CSq9Q->Y~i))|2^NCZ8SAc`1+w17n#8ORs;yLy86Vea&s}eO*n^Jk}xTj!8e* zPO3izr;SOcw2!g>`%A|FLD+P+TnVK_r-grVCF+VcKDBHMyeBEAf4zzB#F%8jrHGcl zA!MJ0#)1Rbg_pjhxcA-{AC{A&o7Z$16synO-kI4tO<{5n@`fq=wOE^R+nV~<+(s>L z3FuyVQM_~?Huco`y?WvL>6rJ^QMU2Wc5t`_Vr*+_H8ydjU=kez&2Y!6EoxnZBBeY9 z%+(O#y=C0PV@6_EKh(-;WD9rxTT+6M+JFctFj71SJf9aZa3@v@s#qjb7sM|XVMi6e zU&{_5O&kh9f1rALdrp0?UFaJBWWi4SfVmZzN)Cgw*xd`wB#HgX%&bRtxT6{z z8%rJ~DDi^s(g&QEJ~|%My)V9vS@Lc4B~<40Qfc!27_=g%o(uPi&^dhPt3NtA?u!eF z@hT^!6)$1+>#M~v=7aT%&HfPI25gvbM8t)yxJkcs|7g-K&Him21CPVgQ|vRNZ_dUS zZwLEngzM1Q*NdH(lYP}W2Htf`MCjIK+?bIFfed#K`8+ru!ePDX%%=`l5rsQ^)*u`0 zj}$4gX;>$QhNK^ZEp_i)9bTmBwmG zkpOpfB^QMCq^$vCoEJ_$Si;&Q4OH&{)px4-1{?y#x7 zI9=v*7&+?{yha_scn;Q;v~4D;L*4*3bzLOUvdYMdSQeMQ0mbZ?+TL2*TIja?^h@B9 zyh105VjHTbBH;bqMBCAkG31QydMDA7kXoT~;!WEZ$EGTX(@KorP33c6pdruKL*^^7 zFT@5r5*XzrqQc8UA`8i*Tzn;%HZo0Bkd;9@{P}_e@Nr5=DcXnP8kQm&o0yQC4XB_UvOpWwm zst0A-tYtSC>=_e~DxG?(7Qbft|K6cb+G@MhsGct+<~~QfTtvz5g~G>WkpGbxH3Q4* zq{YEbO#+>sUCi-IXw7s8Aj$70&K4sZbcO2g{yVA*3~-c1l#YE0U&g|CB$>FC-h$zy z+DXQe1oO~yjK*e#t^J-w9W4S-)`iw03d1lD&qtjqp3d=1Z@OfBW<=<|$ktjaI{(b$& zgF&=<%1`iw(!ex4rds{tM2Zcm6pJo7h>G}95w%ECzLau_5tmsGnwo9}F;E=(oa1_K zEmT*S06hoO=AjZITiFZ44a+^BdY`yr_p*90cu%SE&17^m5V|Sx{(=POt-cW{ z#q7f$eiWH|0J7~_ReJ--lAhC~w1FcsJDAtc%v~8V^L2EuZhZ59LZ2!}$jg?i-B=LT zisu3$jd=w;*dcUXOH%U8cU=)!+eY!vJ)v1Y&vISy9LZ;k!s2uhyr?#^c+BDF9vCuT zQn&l-gk)h3XfTJg9PVY?v$3YiaYTzEjv$a1b_Oq@{>v<}x{`8=#D3X{k~t-1kSu3E zpxwKXNbwO)*3ZTZ)IKdCtymsUZU^svICJQZ^{Vddq9cLEJT)enUhhIp#_LSrbbp71 zsRPPuo`bcvCO15wd3BWKu%83pW1`&MRH~O%YH(&LA~YF7)WzwaL?g#Q9&{C&ATcjR zSta$A4!5Po7`|puGXX^{Hbz&_W!o0Q-XQ|HFaBHc%-Sss0v|f4lnkg%xo1An!ce~P zJ2~9v-boji6TKBqlo7qN`~4@ltA3ut78`aVor#zEYe`MlJ6QHOekxILUaX;wH=rCt z&D12Iw>kROSMCVqb0G!0AOZiT)LoM8L5}BqvwwC#H;W0J;}_Rywg;}dExyW_tEHkG zw^Oh)UCAU9!X2Vth1tR7!@pxR&XjgkXn=Kke>VXLUDzo>%v*~E%#7>~C6~GdmOLVT z2sB|gF@8$`d#0a$rB4(~U2vjXxv6@bSx7${>FXUx))aUxt^&y#&23A>w2DYXuh$t% zLOQ3z?jD1}b=d=V+ER;p5-fYM^aIKrQq-0PE;AZ1s=YY{PD=LF_^i>0&JO+8r`C9V zG2b%R;S=Wh>{gW-MO?6A2UyWlh>UPIa)WC2^(50a*0K8~uCNWm#cX53zdvV6Gfq{} z)<|y+4kF9q#6(8{yUsPSq9j92Q?D9HTHEq7?}6nbkwc9c^>xWJTa0VetK|p31~SSi z?zQ?2E2x0H-0E71g#ZPy<*iyCd71UQz>TX|EbTKwCt65&@5os>c~MN`OR3zs_YM1j zih&$U-paBkrX1biu&0XF9#ntWi*HM`xtD~!+7n=!7y4m5pPPTbo72a==};QlDPwxIX;vT!O8S@7Z#2pySO=0f%liEi6 zq_2MKZ$dRUuS%a&u5_}xvP%lbb$;G9v2!lQotD|62wdcj<><+_>iiM?zCd2x$Tb`R zwnVpTs2Oaw$eHF@1V10p{1fDG3jU4EO+=F22srD(w#hWm;wqtW;mg)Zq`w5E`V%ys zRe(X+&)^lOJ?Q>jh)!WR)C&Gq&0m(9x=G2@@9byCtqvkziX-~)3J!YfS9<}7LokG? zpf>n1`})xe8Jy4}0vO}xFrna2MM4hyK+>-|^9o+hIs{`Uh05=};;V^{;bQq{mQ*Dl zJFv~6(FKh)W~9P<+WQ81l(1!1UP|W{43qXnyPyt!Zkr%^K9^1<|7!0W1hI4N&`XCV zp<8{JO(0+e$avp^UzHi{075;bu$2C^yI-=>&|;bHl8{vRgBn)NUcmE}0Yi5*MGndN zU6gc-(R5=*45sBJ2Do=3OY5KbP>>G5e^bf1U&Cw~4~{+1yGjY^UR@&!RooYXfZLF9 zWzF&WOc*pMKdc}s?i#`c@s^(4py_p6vv}HUwc~nb850t+GLl+1jJe|?uut;?T&3J= z(nKE)QQ9a-1es9VD2|)3bgkVVdv(YwF{1fTb217b9oWMKsg4~KtIW{z+K^Gi;#w-h z=oPxwbMx`})yrE8|E%cf(R#;|k=fN3e_3yqFmht}{WcV{*;mhz8S5SyD=@X{r8k4#NMxYNk+kw!H=kV5|5F? zkF!M8;2j_o2bjU}iiZYxd`Pdb>g9xA zJdJ6xU{?RK%#=USVael<;3>co{-F4&Q5dM4OaEgJV=}bvuc(OFD7L{SB;HJEgP=vW zi#W*-k1+C8DbZPF)mUv$MST!kaG?(e^I@ID;gUAqKDDGr zEX=QLO2r6qQL62ZjV|=SBK*-#hCbwPpuHy8R2r|=O73vUn_7d|s%2w$i)k27DxB>6 zVUm$U)EIH`oSWYD7{!66&q7aL{y1xy?_;7 z_1LH(B|T^#V=O%v8;S-;fKEJ|huJE}GYe&D^%dGb)TOmxPTN&)=P@4gS6KTqFI8Hob+gs9i3oS8~vB~l4y z5~$o+85ufAy1_}-?rd~5q&6yYRB%@OE9fa$>?-UThNO7|*JI$yQ~dgc2URsUwBOsq zd2*Qbe)$z{gEj9IjY0V3{FTBNqMKUi&yWBW)gCcpd^rcXXGNR>xUWRC3O{~rTWo#X z>~OB{EaU67B!BC$rC3S0*Yneqq-f{*ik^8|czc-0mIe|4EgME=?UlfaV^|J@dM**& zk}R}1@&hTIN;y8QUR60|)M<^DtyvcN9|PdJPFrUj|Ec(4px%Tn0`!1>mU4_$2SY}p zCqPwbUqy^6&l`0kjk6$hK$bpKcs71=y{M-j*l6riPhYVz;M_s4nc|F30IHFfyGg-+ zP8!5$Nu`3jvNzu|h2b#rrIC(JrJGVl;{{yGRC1HvNU1}3^3{!+^h6E-f7j}b}b$!5v)LNqfNQqEA|jlwFU zRqv8r37Mx>J6t}A6PV>#5FFl!Qrn*pOGzBNBF2OU4}P3G40GW-1f~lm_t9mfqkqfH zJYELUuFxvYNfWO~H1x$a;HKNBEscA$fvcaxSrZKlmab%YI0zrRta#7=EF#go%vISC zgVSF7(FD%(P2b87k2_?8*Ni6uxaIchW6}zO#*k7~RwGK^dZAS?Ncj*9%6_vMSo`0^ zl2#D=$awrhMhaF2z<=8}*G6vdFOM_*DFJG0eJH7&)XQzVHm?-VP-UhZW(Fr3u0a)r z#}bCe^VLVCvA6EI_Hycn(lIg$kFbsFDwX$KI_(5t>25swNOjv%#=M7~!0!%y3!y~35mih6SHk~IKc)wvENc5oQ9h61#wqPdBC zE`xrVoOpiJG%qT&j_&S!7@`Dl%FV@BvXf}~7sV)Wtk|=Cy6nTUYvn5IIITuL@on50 zv!q+HQ*-*bryMYdpMY1vUbSFyHM;~whX}8Ex33L;8Bx+?`H=o0qLm*BCKBF}Ek}s^ z4#rI-)49M-r)Hj?RsWz`6z)6@I6owtmoPD|m&{DKMQM;tREozxaVH&aqg`$Yx2KZz zTIj91Y9nr?(09!mJ(fUTTa?yQ%5EhkN^1fvtrC~kNk}VEn;k)$F=8*uu`hV!r%~3d zt0Iqk;f5Pw!mAkfr_RtQNDtW8i$mQTh3h4oP^>ImOCWclP}M{P(JqB+)rTxgBDZ)! zLu;1bV;#O-Xp)%Jg1uIA?Crfx40IqgO=OpGDX2is;6lqIQ>u%KQT`Wl{>(T@728ma423wgW=oQuY zCmh@>rN#epdHW>jWgre(>{^lnmBqajRJB>eo*qyjdr^~-{kyD{L3XYLIC1*~L`Mu_ z50Q=4gJH9Vv)$n`wIrAsvOu$@6ED|Fl`0U$i5i1Ml@DT|LNkqDJ1JQ-5)+6{AFh-2 zs@w1XjdW=wY$op;N+5179S~FyzE>fu77v%*d(1XAfY}H_!NWUfb}I@ey#z=%rmN@Q zggj4364wQQAt!|sB}dfe9cvv zaY9*O@b(5$$gC)27Nfs6CVn#JJOn~j!oR?I4T>Rv!7(8Dn42bG|9s)u@H)rlle!c zK*yAlC0#0B+q}jGDJSV4g`g!WqI`uFvI&g~eb>_U@#LT~;acd`>onmr(rgVpT}^MA z(4MT-`tamwFAXnt0$z1VSh5M;o{OC1Fvb_tCd=MC1Y{g+^lfi86ZW2`-=BHgzU^hV zqPVS5UMI?>(mO*zDU{lUymM}b%%?&EK=f^bu~#|o!=N7MRl6T#v*PC&82L=OSK z_(Qj*XdWLq`4~|5Tv4K*7G2H!y5d#qMQSd<{WM$AX)CE3+9^+p3?7qYB#IX!-)zJ9 z6dW1INnXCz!lEy3v|^;CUPoj8m2Afp!k3eXTbH8-&rO>+I zo9PqBWW`O7pX0%H?bub27n;}uEdN!!9*U_CEOCnMOGY>6k102%A=MF|{7H(-Q8LUz zW>B!qLatj%40D!_FbGaBQAjw>9qOybdan8_{2t(r`$$Hygox4JCdKxw+}=S+lCI2K zF@ce4&(Wy3IAo$%M^_MxQ3!L|u~OUCe|qxTLJ=&gIFB10c4}jDv_c_Im-Lii%~w{Q zOqsv?5{K9v;J=cMk|Y-Sk)9%z#c=5ssL4hMv$Ug0_!{U?JGJ^TL=)lnnr|06FQ@aZ zN&gKpVQx=-G|ktHAE|P6aP!DDiFr-`ij2T;Z=I1&$0&4pCFK_WsujDYJRSYB6s|vz z0<2&gj_mReldNe#;(nViHDlcl;p-oKB14;)Z>s+a{QmqeUlax|qKFy1)n6iGUbxEm z=_GnW2MN9s>nE}8*aKBo+QR3Q-?Sw(8FJDLGtjw7+M9u2(-WIoaC1m}c;%8}Y-+S> zyIA0P{zxNV!mo-1&{rRMv8tXb%IQTEoqSB9^uvL?ll*hxtT0iq9g%m)*dZS7tL`k9 zALGRSs?Cs^T(Lw&1-}CIPnO;hgh&tvrYi(&f5TkY-k%TDg7#Ng_y+eUm2It$Ak?vI z59IA!KZgqWvOm-m3nLzZ1oOzf=UJ9KP$ZA~*CM@XTdtSz0tQxg-miWx=Fl$+Y-j|<=}+YRP^qUz^Ku%z5wc>%#B8imNF3WAr>9%iq5l3T`j5 zn}Szcv7D**fEaM}aYAd;?ir_Znj)#uksXm?Bf`TDkmCk)t{RM?e|DWvy@9HQf9->x ziI)~L***b8kdgU9TBoVd+%lkTtkqerZ;`ybv7>S*>)aMF@SfuR8-EY`9iK*RiTxfH zdUwv>IUCS4c9Uv_V)bi<#*3r-hNQ|WHM4T2EI{fa@Kqp~3O7AWct;8nLnNY4?a(f$ zKCl$4W0|*#GO%LVlyYbZJn6tfvCo-r&1~IqJnd9JxEd(gt_3{+{5d?SrX-AvF@FFf zds?<9S+j^9%_l-poWNg#DBCD{wtQtfBTaSq2Xy_-eVO>-cO>5$aj;YWZCEw#my8Lzax6sc#ZVE)#9hw%5UgPyVz0Tb)bnZ^sxL`SN7lKa3+Rl;B&A zzpuY=F9M&JZO^CQKbvTqd#@)Z(lI!5fH@Hr)0JqwteO1|-q^(5_3%!z-h0BMUu+55 z@w$kB?2gf**aMxP;E?a@Y|u*Q1zj`kK)zd1@ji8iaBSudS2}+;ap8@~w(cFSw7yk> zpj2LQGquEYg|N9Nr<7bwOpWwxPI|X1obqBP%`N+-hfa^xyvjBI^^T$%P$fl^Yi<2o zFJ{uYt5TY%+HXpFHmbnx0*2~FE~e}~#>P<58E94=xUk*8LD|Z{o8tSLD5l-6moC2E zX%XdppwyA#FQKtBQF*Lmg0xZN8`CDaZ?7Nne%}@a4L*9uN}3nSwP&}=iEJv?ILN~` z!_X2ADEF|%>~7WCBo!;C9tWx(=Hz58F=Cpwh)z%l{fC2_$O6A}(Tp){Y3!r>K88j{ zC3cJVlhWJw&FCZIOlz_DBbetskTE3NBdE1Wff9p9d{4G>ZU#p^`2}#6+a*K>HD70KTA6AJ^eN; z6uwa2LF{P(^u_<(|ADg76S4!0>(*Py+}By!|30C_p%bV!P7NBe@f5}6vL^^QRTam1 z2C3_Wlx0oZD5+mj6F-8j=EB9)@may-9xg*(EUkbIx1%L(s^Du{VaRG3qoA2ovB+W~ zOK@mk0x^t!&gkKeg3f?C;KQd{>cgjX@u0>Gl@!qOa#``M6aG{}Df%wd+N7)tR2WRe zB*`i5CVTl27tv3%cvSkPzz4(-aceCS#Q{$B`P2bs zt04-Go-tuPmQMxoD{S!7Q1U;8uA zDD(uUt3=^GJ@2{L_pI%(d#5(t*Rpk~E;W3lg4UGBu4Z(9^2yhOWI@DPQDg`I8bcP<-%rCSm5Wa4dE{O9F9w6qw!hM) zJFLC*HNNFj+!h6qg+Vy?%yso@#m@Qaemz;Xko(k@O`Lp2R`br_zX2jK~%ZDZc~k_tnGNOP_xX4Y;5~$8F$Fo zDY**6(pwhFkWBM8UfmxO=#syUrbJcC6&z`+_?bFtp3iPH*Gj!v%-_VOpQ z8JU;GxIn>P4;C1UB~%5nF~Teo118FF&edC6Nh1PfE$j6n zwJ?i*C40Kq)yCPc+Bi|o>N9|8 zv|VWP8ZY0-BSu;<_3HJOEBK|96Z);AVxc5&H^8pk?t|>~U9rDtOX=2EVt0vSzOa+T z;7a1N9e(>dbgm0GDW9r~0so(_`irc^(WkBq2U6^Nr87u!^IQcy+9RBk)Wy!WKfy(I zHLk?52eiPq$E*}KEfPeUTeK%u242QigZgIoa+`fqhq26?_e#6@=W5u*Det12OAM^E zG8VAxrq`Fiu#(%Y5#5Ap4J_4G$Yo|ozN2g%sGJumrObs{biK|7m81N`Sr3lbL8R0f z*{f*2UKpBbrescq$d_mZc=xDxwHdR%;EWLZn2A)&lR@MMGp>LMY$i^|-}0=6Co-bE za7bzqrnblc>CgJ;&N@3py68@%?io$iJ5dF@P~mr$K&~L?s-N5CGSrp)Bk$az4y5bL zd>~h%WlH~HNAN8@x;Z12ZdEZJJQdltyxp912{kI`EDpY!{$;f?xp+*Srd@pSD$B4T zo6C$p>!Ns1#HJk%E0&U*(jnhyr<+Jm-F}I0h zc=6>nu~_gwM+S)aqe6*)1Oj2xvtADNI$1eu;0g*5YJ48kSQCxuV_TcROYgLHb;N$v z)K38gU)#GDrYA{n-``o)L*Zhz_=xI@jE=U9rz&4Uzdh@eh6vC!=fGv4&O)yj8Y+(0 zd6%pnb}rbl;93TpGNUrL=sypul_AOvErU>4!m9K&n}(Y|%Z8SFkCVY^H69GJfQdE3 zKGVb7>!RD{M5!N?Vy3pPPo`<&3U10_J?VErf_-7VpC8u-_e#;4?I?Hx&CW2^*n!zu zx(TTVN=_VkBEGTDHc$@W0Pn(Lz&~qf?%NB4MS)E#zXE=57m;tkf#ewAl__6EKl|O_ z6yyFvbI?=Bt^0%8HbZgGSe!jfNl?u>ULoc6DS40D-j|KfL89C{SE>yKi6s)qVq=Zi zzLt{u1_H;$=kP&4n`Zb2`vh+mME*s66)) zC@Fft6|wraqE9ZEq@bd+-ymQU=}{IlD5upaJEcQB%d^*~c#{6B1PM3z+7vCJdWCal$rYtsPI5yL1kh&zIj zua`y1Zx{rSBKLX4p0C41j^9pS^p3@I1`j`I%8T$83+nBRwYiO2$FnOX(UsILRrK|( zcsj$~(*daeHv6oiMIbetXFY7yI|A0`sVXlCH0nvedZOxGI@qilFaswwZ1!wXZd=^t=e ztq`j!9}D#!D2=oaD=Ih-VoEuDc)+{eT-kNhZDJ0q?VnTF>g9OD=_rP@W=pW-;07;(2?QI{XWDW*S%Tgn4o^6Wq9ni zp_SH=k|57Y9ClunMWU|2><&*VQJ$w{Asz=P9kj>NrkrZ9$Jz$NANMXAMtLNDbcyo( z2&tR;97;ojKi7cX$q9KZ3~E@P6dK0Rn72z}yf4-C@ZK#i3*asf$Vj^n#i-3Gm{1M- zA2|&0-hEdr0|W4tmNfF~7%trrJjwtz`Vg@n7zT)bg#W?dR=6r? z4HSo>fX!krk40Ga14G2sLZ~=A6@L5xi|{;zu!Dc_M|@mdV`^Fi!`T~lT-<d4BiVV);9RI7UH;>vH=1#x0eD|Q*l}@C!FupNK1$o=@NV5S{M|aWh;Xa$aZ_xu z`+E+<@XZB&7`}Vt=*OXhWpVs(bhv8m^a_;C`+y5JB?|-CmCRPOm|!njDaD{6gP~Q# zX6~+GUXIdqLvZoZ)C$4AVzd$A!t%GYg#C}^3K8yk&y%)yhoP{Mi6g`q?0^&zZi|0~ zR07lq0a7lb?kYbJy5u~hZiT4$ZeOdi@BA{Z@-88VC{u>Y8Y=&yZ+;D9J zJeY^bBjE2{N$&pS5B&?~mAgZRwc&j#O-1%mRiJOK`X)A&1ogq{{8AO4{usN^O(U-9 z-eUF5gN@MxM)nqB7q(1P0(#_**&3*NNZq8DMSKh%%q{`pl-ihG# z@At`fev1VNGWcxEZyAm@4qQ^lf(<6SlKqW6y9n!{ zgD1`WFmU+613}Oay~nc@Wbk>eVE&I4)0K-UgZHOFFNmc94QUe9<6bBhemB;!99LRL-mJpCNiz1sK#+KOt8d z(TK(LSKwuOBwEizX6G@HO5^WN1*(MZwiQ7sNQ zv9~ffk(ip;p)9e+A)_P^T>Uu@90CmC(C1Fx$ z=DTv65Dp)gW|(wNOuF_yBkQ&h`UX{9StpF1DPc`GoEBM!3R0p$R&`|ao9Z(;*L27x zbjp}MWj*+KXaxNmPhJWb1O@c}UA_8K_wYYQq5pr)|D%@m|5oyUS5Ew|3Lv0D|FNIK a*#BQ0g}f9v#D85te$Jquwv+R}r~d=EZbsMu literal 0 HcmV?d00001 diff --git a/Solutions/Flare/Package/createUiDefinition.json b/Solutions/Flare/Package/createUiDefinition.json index 366f4c39797..ff51c8fad27 100644 --- a/Solutions/Flare/Package/createUiDefinition.json +++ b/Solutions/Flare/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nFlare identifies your company’s digital assets made publicly available due to human error or malicious attacks. \n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 9, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Flare/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Flare Systems [Firework](https://flare.io/platform/) solution allows you to receive data and intelligence from Firework on Microsoft Sentinel.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs. \n\n a .[Azure Monitor HTTP Data Collector API ](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 8, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -60,11 +60,11 @@ "name": "dataconnectors1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This Solution installs the data connector for Flare. You can get Flare custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + "text": "This Solution installs the data connector for Flare Push Connector. You can get Flare Push Connector data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, { - "name": "dataconnectors-link2", + "name": "dataconnectors-link1", "type": "Microsoft.Common.TextBlock", "options": { "link": { @@ -146,13 +146,13 @@ { "name": "analytic1", "type": "Microsoft.Common.Section", - "label": "Flare Leaked Credentials", + "label": "Flare Cloud bucket result", "elements": [ { "name": "analytic1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Searches for Flare Leaked Credentials" + "text": "Results found on an publicly available cloud bucket" } } ] @@ -160,13 +160,13 @@ { "name": "analytic2", "type": "Microsoft.Common.Section", - "label": "Flare Cloud bucket result", + "label": "Flare Leaked Credentials", "elements": [ { "name": "analytic2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Results found on an publicly available cloud bucket" + "text": "Searches for Flare Leaked Credentials" } } ] @@ -174,24 +174,10 @@ { "name": "analytic3", "type": "Microsoft.Common.Section", - "label": "Flare Darkweb result", - "elements": [ - { - "name": "analytic3-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Result found on a darkweb platform" - } - } - ] - }, - { - "name": "analytic4", - "type": "Microsoft.Common.Section", "label": "Flare Google Dork result found", "elements": [ { - "name": "analytic4-text", + "name": "analytic3-text", "type": "Microsoft.Common.TextBlock", "options": { "text": "Results using a dork on google was found" @@ -200,12 +186,12 @@ ] }, { - "name": "analytic5", + "name": "analytic4", "type": "Microsoft.Common.Section", "label": "Flare Host result", "elements": [ { - "name": "analytic5-text", + "name": "analytic4-text", "type": "Microsoft.Common.TextBlock", "options": { "text": "Results found relating to IP, domain or host" @@ -214,12 +200,12 @@ ] }, { - "name": "analytic6", + "name": "analytic5", "type": "Microsoft.Common.Section", "label": "Flare Infected Device", "elements": [ { - "name": "analytic6-text", + "name": "analytic5-text", "type": "Microsoft.Common.TextBlock", "options": { "text": "Infected Device found on darkweb or Telegram" @@ -228,12 +214,12 @@ ] }, { - "name": "analytic7", + "name": "analytic6", "type": "Microsoft.Common.Section", "label": "Flare Paste result", "elements": [ { - "name": "analytic7-text", + "name": "analytic6-text", "type": "Microsoft.Common.TextBlock", "options": { "text": "Result found on code Snippet (paste) sharing platform" @@ -242,12 +228,12 @@ ] }, { - "name": "analytic8", + "name": "analytic7", "type": "Microsoft.Common.Section", "label": "Flare Source Code found", "elements": [ { - "name": "analytic8-text", + "name": "analytic7-text", "type": "Microsoft.Common.TextBlock", "options": { "text": "Result found on Code Sharing platform" @@ -256,12 +242,12 @@ ] }, { - "name": "analytic9", + "name": "analytic8", "type": "Microsoft.Common.Section", "label": "Flare SSL Certificate result", "elements": [ { - "name": "analytic9-text", + "name": "analytic8-text", "type": "Microsoft.Common.TextBlock", "options": { "text": "SSL Certificate registration found" diff --git a/Solutions/Flare/Package/mainTemplate.json b/Solutions/Flare/Package/mainTemplate.json index 1448a2b0f2e..5ed49c2f9e4 100644 --- a/Solutions/Flare/Package/mainTemplate.json +++ b/Solutions/Flare/Package/mainTemplate.json @@ -2,7 +2,7 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { - "author": "Flare Integration Team - support@flare.io", + "author": "Flare - support@flare.io", "comments": "Solution template for Flare" }, "parameters": { @@ -28,6 +28,20 @@ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" } }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "subscription": { + "type": "string", + "defaultValue": "[last(split(subscription().id, '/'))]", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } + }, "workbook1-name": { "type": "string", "defaultValue": "FlareSystemsFirework", @@ -38,64 +52,24 @@ } }, "variables": { - "solutionId": "flaresystmesinc1617114736428.flare-systems-firework-sentinel", - "_solutionId": "[variables('solutionId')]", "email": "support@flare.io", "_email": "[variables('email')]", + "solutionId": "flaresystmesinc1617114736428.flare-systems-firework-sentinel", + "_solutionId": "[variables('solutionId')]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", - "uiConfigId1": "Flare", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "Flare", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]", - "dataConnectorVersion1": "1.0.0", - "analyticRuleVersion1": "1.0.2", - "analyticRulecontentId1": "9cb7c337-f170-4af6-b0e8-b6b7552d762d", - "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]", - "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]", - "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1')))]", - "analyticRuleVersion2": "1.0.1", - "analyticRulecontentId2": "9cb7c337-f172-4af6-b0e8-b6b7552d762d", - "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]", - "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]", - "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2')))]", - "analyticRuleVersion3": "1.0.1", - "analyticRulecontentId3": "9cb7c337-f173-4af6-b0e8-b6b7552d762d", - "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]", - "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]", - "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3')))]", - "analyticRuleVersion4": "1.0.1", - "analyticRulecontentId4": "9cb7c337-f174-4af6-b0e8-b6b7552d762d", - "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]", - "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]", - "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4')))]", - "analyticRuleVersion5": "1.0.1", - "analyticRulecontentId5": "9cb7c337-f175-4af6-b0e8-b6b7552d762d", - "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]", - "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]", - "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5')))]", - "analyticRuleVersion6": "1.0.1", - "analyticRulecontentId6": "9cb7c337-f176-4af6-b0e8-b6b7552d762d", - "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]", - "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]", - "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6')))]", - "analyticRuleVersion7": "1.0.1", - "analyticRulecontentId7": "9cb7c337-f177-4af6-b0e8-b6b7552d762d", - "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]", - "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]", - "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7')))]", - "analyticRuleVersion8": "1.0.1", - "analyticRulecontentId8": "9cb7c337-f178-4af6-b0e8-b6b7552d762d", - "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]", - "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]", - "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8')))]", - "analyticRuleVersion9": "1.0.1", - "analyticRulecontentId9": "9cb7c337-f179-4af6-b0e8-b6b7552d762d", - "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]", - "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]", - "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9')))]", + "_solutionName": "Flare", + "_solutionVersion": "2.1.1", + "dataConnectorCCPVersion": "1.0.0", + "_dataConnectorContentIdConnectorDefinition1": "FireworkPush", + "dataConnectorTemplateNameConnectorDefinition1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition1')))]", + "_dataConnectorContentIdConnections1": "FireworkPushConnections", + "dataConnectorTemplateNameConnections1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections1')))]", + "blanks": "[replace('b', 'b', '')]", + "workbookVersion1": "1.0.0", + "workbookContentId1": "FireworkWorkbook", + "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]", + "_workbookContentId1": "[variables('workbookContentId1')]", "credential-warning": "credential-warning", "_credential-warning": "[variables('credential-warning')]", "playbookVersion1": "1.0", @@ -103,462 +77,179 @@ "_playbookContentId1": "[variables('playbookContentId1')]", "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]", "playbookTemplateSpecName1": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1')))]", - "workbookVersion1": "1.0.0", - "workbookContentId1": "FireworkWorkbook", - "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", - "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]", - "_workbookContentId1": "[variables('workbookContentId1')]" - }, - "resources": [ - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, - "properties": { - "description": "Flare data connector with template", - "displayName": "Flare template" - } + "analyticRuleObject1": { + "analyticRuleVersion1": "2.0.0", + "_analyticRulecontentId1": "9cb7c337-f172-4af6-b0e8-b6b7552d762d", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f172-4af6-b0e8-b6b7552d762d')]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f172-4af6-b0e8-b6b7552d762d'))]" }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]" - ], - "properties": { - "description": "Flare data connector with template version 2.1.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "Flare", - "publisher": "Flare", - "descriptionMarkdown": "[Flare](https://flare.systems/platform/) connector allows you to receive data and intelligence from Flare on Microsoft Sentinel.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Firework_CL", - "baseQuery": "Firework_CL" - } - ], - "sampleQueries": [ - { - "description": "Flare Activities -- All", - "query": "Firework_CL\n | sort by TimeGenerated desc" - } - ], - "dataTypes": [ - { - "name": "Firework_CL", - "lastDataReceivedQuery": "Firework_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "Firework_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "name": "Required Flare permissions", - "description": "only Flare organization administrators may configure the Microsoft Sentinel integration." - } - ] - }, - "instructionSteps": [ - { - "innerSteps": [ - { - "description": "As an organization administrator, authenticate on [Flare](https://app.flare.systems) and access the [team page](https://app.flare.systems#/team) to create a new alert channel." - }, - { - "description": "Click on 'Create a new alert channel' and select 'Microsoft Sentinel'. Enter your Shared Key And WorkspaceID. Save the Alert Channel. \n For more help and details, see our [Azure configuration documentation](https://docs.microsoft.com/azure/sentinel/connect-data-sources).", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Workspace ID", - "value": "{0}" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "fillWith": [ - "PrimaryKey" - ], - "label": "Primary key", - "value": "{0} " - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Creating an Alert Channel for Microsoft Sentinel" - }, - { - "innerSteps": [ - { - "description": "At this point, you may configure alerts to be sent to Microsoft Sentinel the same way that you would configure regular email alerts." - }, - { - "description": "For a more detailed guide, refer to the Flare documentation." - } - ], - "title": "2. Associating your alert channel to an alert feed" - } - ], - "metadata": { - "id": "c3f2c642-54a5-49b4-b135-e05506720765", - "version": "1.0.0", - "kind": "dataConnector", - "source": { - "kind": "solution", - "name": "Flare" - }, - "author": { - "name": "Flare" - }, - "support": { - "tier": "developer", - "name": "Flare", - "email": "contact@flare.systems", - "link": "https://flare.systems/company/contact/" - } - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Flare", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Flare Integration Team", - "email": "[variables('_email')]" - }, - "support": { - "name": "Flare", - "email": "contact@flare.io", - "tier": "Partner", - "link": "https://flare.io/company/contact/" - } - } - } - ] - } - } + "analyticRuleObject2": { + "analyticRuleVersion2": "2.0.0", + "_analyticRulecontentId2": "9cb7c337-f170-4af6-b0e8-b6b7552d762d", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f170-4af6-b0e8-b6b7552d762d')]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f170-4af6-b0e8-b6b7552d762d'))]" + }, + "analyticRuleObject3": { + "analyticRuleVersion3": "2.0.0", + "_analyticRulecontentId3": "9cb7c337-f174-4af6-b0e8-b6b7552d762d", + "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f174-4af6-b0e8-b6b7552d762d')]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f174-4af6-b0e8-b6b7552d762d'))]" + }, + "analyticRuleObject4": { + "analyticRuleVersion4": "2.0.0", + "_analyticRulecontentId4": "9cb7c337-f175-4af6-b0e8-b6b7552d762d", + "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f175-4af6-b0e8-b6b7552d762d')]", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f175-4af6-b0e8-b6b7552d762d'))]" + }, + "analyticRuleObject5": { + "analyticRuleVersion5": "2.0.0", + "_analyticRulecontentId5": "9cb7c337-f176-4af6-b0e8-b6b7552d762d", + "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f176-4af6-b0e8-b6b7552d762d')]", + "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f176-4af6-b0e8-b6b7552d762d'))]" + }, + "analyticRuleObject6": { + "analyticRuleVersion6": "2.0.0", + "_analyticRulecontentId6": "9cb7c337-f177-4af6-b0e8-b6b7552d762d", + "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f177-4af6-b0e8-b6b7552d762d')]", + "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f177-4af6-b0e8-b6b7552d762d'))]" + }, + "analyticRuleObject7": { + "analyticRuleVersion7": "2.0.0", + "_analyticRulecontentId7": "9cb7c337-f178-4af6-b0e8-b6b7552d762d", + "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f178-4af6-b0e8-b6b7552d762d')]", + "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f178-4af6-b0e8-b6b7552d762d'))]" }, + "analyticRuleObject8": { + "analyticRuleVersion8": "2.0.0", + "_analyticRulecontentId8": "9cb7c337-f179-4af6-b0e8-b6b7552d762d", + "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb7c337-f179-4af6-b0e8-b6b7552d762d')]", + "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'-ar-',uniquestring('9cb7c337-f179-4af6-b0e8-b6b7552d762d'))]" + } + }, + "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", + "version": "[variables('dataConnectorCCPVersion')]", "source": { - "kind": "Solution", - "name": "Flare", - "sourceId": "[variables('_solutionId')]" + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" }, "author": { - "name": "Flare Integration Team", + "name": "Flare", "email": "[variables('_email')]" }, "support": { "name": "Flare", - "email": "contact@flare.io", + "email": "support@flare.io", "tier": "Partner", - "link": "https://flare.io/company/contact/" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "Flare", - "publisher": "Flare", - "descriptionMarkdown": "[Flare](https://flare.systems/platform/) connector allows you to receive data and intelligence from Flare on Microsoft Sentinel.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Firework_CL", - "baseQuery": "Firework_CL" - } - ], - "dataTypes": [ - { - "name": "Firework_CL", - "lastDataReceivedQuery": "Firework_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "Firework_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Flare Activities -- All", - "query": "Firework_CL\n | sort by TimeGenerated desc" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "name": "Required Flare permissions", - "description": "only Flare organization administrators may configure the Microsoft Sentinel integration." - } - ] - }, - "instructionSteps": [ - { - "innerSteps": [ - { - "description": "As an organization administrator, authenticate on [Flare](https://app.flare.systems) and access the [team page](https://app.flare.systems#/team) to create a new alert channel." - }, - { - "description": "Click on 'Create a new alert channel' and select 'Microsoft Sentinel'. Enter your Shared Key And WorkspaceID. Save the Alert Channel. \n For more help and details, see our [Azure configuration documentation](https://docs.microsoft.com/azure/sentinel/connect-data-sources).", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Workspace ID", - "value": "{0}" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "fillWith": [ - "PrimaryKey" - ], - "label": "Primary key", - "value": "{0} " - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Creating an Alert Channel for Microsoft Sentinel" - }, + "link": "https://flare.io/contact/" + }, + "dependencies": { + "criteria": [ { - "innerSteps": [ - { - "description": "At this point, you may configure alerts to be sent to Microsoft Sentinel the same way that you would configure regular email alerts." - }, - { - "description": "For a more detailed guide, refer to the Flare documentation." - } - ], - "title": "2. Associating your alert channel to an alert feed" + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "kind": "ResourcesDataConnector" } - ], - "id": "[variables('_uiConfigId1')]" + ] } } }, { "type": "Microsoft.Resources/templateSpecs", "apiVersion": "2022-02-01", - "name": "[variables('analyticRuleTemplateSpecName1')]", + "name": "[variables('workbookTemplateSpecName1')]", "location": "[parameters('workspace-location')]", "tags": { "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" + "hidden-sentinelContentType": "Workbook" }, "properties": { - "description": "Flare Analytics Rule 1 with template", - "displayName": "Flare Analytics Rule template" + "description": "Flare Workbook with template", + "displayName": "Flare workbook template" } }, { "type": "Microsoft.Resources/templateSpecs/versions", "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName1'),'/',variables('analyticRuleVersion1'))]", + "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]", "location": "[parameters('workspace-location')]", "tags": { "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" + "hidden-sentinelContentType": "Workbook" }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]" + "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]" ], "properties": { - "description": "FlareCredentialLeaks_AnalyticalRules Analytics Rule with template version 2.1.0", + "description": "FlareSystemsFireworkOverview Workbook with template version 2.1.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion1')]", + "contentVersion": "[variables('workbookVersion1')]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId1')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId1')]", "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Select the time range for this Overview." + }, "properties": { - "description": "Searches for Flare Leaked Credentials", - "displayName": "Flare Leaked Credentials", - "enabled": false, - "query": "Firework_CL\n| where notempty(data_new_leaks_s) and source_s != 'stealer_logs_samples'\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "Firework_CL" - ], - "connectorId": "Flare" - } - ], - "tactics": [ - "CredentialAccess" - ], - "techniques": [ - "T1110" - ] + "displayName": "[parameters('workbook1-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Firework Logs by risk score\\n---\\n\\nThese are all your logs that came from Firework in the past 30 days, where each line represents a specific risk score\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"FireworkV2_CL\\n| make-series num=count() on timestamp_t from ago(30d) to now() step 8h by strcat(\\\"Risk Score \\\", tostring(toint(risk_score_d)))\\n| render timechart \",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Risk Score 2\",\"color\":\"turquoise\"},{\"seriesName\":\"Risk Score 3\",\"color\":\"yellow\"},{\"seriesName\":\"Risk Score 4\",\"color\":\"orange\"},{\"seriesName\":\"Risk Score 1\",\"color\":\"lightBlue\"}]}},\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"# Sources of all documents collected\\n\\nData per day for the last 30 days\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"FireworkV2_CL\\n| make-series num=count() on timestamp_t from ago(30d) to now() step 1d by source_name_s\\n| where isnotempty(source_name_s)\\n| render barchart \",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"FireworkV2_CL\\n| where timestamp_t >= ago(30d)\\n| summarize num=count() by source_name_s\\n| where notempty(source_name_s)\\n| render piechart \",\"size\":2,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 6\"},{\"type\":1,\"content\":{\"json\":\"# Total Leaked Credentials received\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"FireworkV2_CL\\n| where notempty(column_ifexists('data_new_leaks_s', ''))\\n| make-series Total_Leaked_Credentials=count() on timestamp_t from ago(30d) to now() step 8h \\n| render timechart\",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Total_Leaked_Credentials\",\"color\":\"redBright\"}]}},\"name\":\"query - 4\"}],\"fromTemplateId\":\"sentinel-FireworkWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", "properties": { - "description": "Flare Analytics Rule 1", - "parentId": "[variables('analyticRuleId1')]", - "contentId": "[variables('_analyticRulecontentId1')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion1')]", + "description": "@{workbookKey=FireworkWorkbook; logoFileName=Flare.svg; description=Select the time range for this Overview.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=FlareSystemsFirework; templateRelativePath=FlareSystemsFireworkOverview.json; subtitle=; provider=Flare Systems}.description", + "parentId": "[variables('workbookId1')]", + "contentId": "[variables('_workbookContentId1')]", + "kind": "Workbook", + "version": "[variables('workbookVersion1')]", "source": { "kind": "Solution", "name": "Flare", "sourceId": "[variables('_solutionId')]" }, "author": { - "name": "Flare Integration Team", + "name": "Flare", "email": "[variables('_email')]" }, "support": { "name": "Flare", - "email": "contact@flare.io", + "email": "support@flare.io", "tier": "Partner", - "link": "https://flare.io/company/contact/" + "link": "https://flare.io/contact/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "Firework_CL", + "kind": "DataType" + }, + { + "contentId": "FlareSystemsFirework", + "kind": "DataConnector" + } + ] } } } @@ -569,448 +260,414 @@ { "type": "Microsoft.Resources/templateSpecs", "apiVersion": "2022-02-01", - "name": "[variables('analyticRuleTemplateSpecName2')]", + "name": "[variables('playbookTemplateSpecName1')]", "location": "[parameters('workspace-location')]", "tags": { "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" + "hidden-sentinelContentType": "Playbook" }, "properties": { - "description": "Flare Analytics Rule 2 with template", - "displayName": "Flare Analytics Rule template" + "description": "credential-warning playbook", + "displayName": "credential-warning playbook" } }, { "type": "Microsoft.Resources/templateSpecs/versions", "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName2'),'/',variables('analyticRuleVersion2'))]", + "name": "[concat(variables('playbookTemplateSpecName1'),'/',variables('playbookVersion1'))]", "location": "[parameters('workspace-location')]", "tags": { "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" + "hidden-sentinelContentType": "Playbook" }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]" + "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName1'))]" ], "properties": { - "description": "FlareCloudBucket_AnalyticalRules Analytics Rule with template version 2.1.0", + "description": "credential-warning Playbook with template version 2.1.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion2')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId2')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Results found on an publicly available cloud bucket", - "displayName": "Flare Cloud bucket result", - "enabled": false, - "query": "Firework_CL\n| where source_s contains \"Grayhat_warfare\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "Firework_CL" - ], - "connectorId": "Flare" - } - ], - "tactics": [ - "Reconnaissance" - ], - "techniques": [ - "T1593" - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]", - "properties": { - "description": "Flare Analytics Rule 2", - "parentId": "[variables('analyticRuleId2')]", - "contentId": "[variables('_analyticRulecontentId2')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion2')]", - "source": { - "kind": "Solution", - "name": "Flare", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Flare Integration Team", - "email": "[variables('_email')]" - }, - "support": { - "name": "Flare", - "email": "contact@flare.io", - "tier": "Partner", - "link": "https://flare.io/company/contact/" - } - } + "contentVersion": "[variables('playbookVersion1')]", + "parameters": { + "PlaybookName": { + "defaultValue": "credential-warning", + "type": "string" } - ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", - "name": "[variables('analyticRuleTemplateSpecName3')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Flare Analytics Rule 3 with template", - "displayName": "Flare Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName3'),'/',variables('analyticRuleVersion3'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName3'))]" - ], - "properties": { - "description": "FlareDarkweb_AnalyticalRules Analytics Rule with template version 2.1.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion3')]", - "parameters": {}, - "variables": {}, + }, + "variables": { + "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", + "o365ConnectionName": "[[concat('o365-', parameters('PlaybookName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-1": "[[variables('connection-1')]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, "resources": [ { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId3')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", "properties": { - "description": "Result found on a darkweb platform", - "displayName": "Flare Darkweb result", - "enabled": false, - "query": "Firework_CL\n| where risk_reasons_s contains \"CYBERCRIME_SOURCE\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "Firework_CL" - ], - "connectorId": "Flare" - } - ], - "tactics": [ - "Reconnaissance" - ], - "techniques": [ - "T1597" - ] + "displayName": "[[variables('AzureSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-1')]" + } } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]", + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('o365ConnectionName')]", + "location": "[[variables('workspace-location-inline')]", "properties": { - "description": "Flare Analytics Rule 3", - "parentId": "[variables('analyticRuleId3')]", - "contentId": "[variables('_analyticRulecontentId3')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion3')]", - "source": { - "kind": "Solution", - "name": "Flare", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Flare Integration Team", - "email": "[variables('_email')]" - }, - "support": { - "name": "Flare", - "email": "contact@flare.io", - "tier": "Partner", - "link": "https://flare.io/company/contact/" + "displayName": "[[parameters('PlaybookName')]", + "api": { + "id": "[[variables('_connection-2')]" } } - } - ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", - "name": "[variables('analyticRuleTemplateSpecName4')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Flare Analytics Rule 4 with template", - "displayName": "Flare Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName4'),'/',variables('analyticRuleVersion4'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName4'))]" - ], - "properties": { - "description": "FlareDork_AnalyticalRules Analytics Rule with template version 2.1.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion4')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId4')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Results using a dork on google was found", - "displayName": "Flare Google Dork result found", - "enabled": false, - "query": "Firework_CL\n| where source_s contains \"google_search\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "Firework_CL" - ], - "connectorId": "Flare" - } - ], - "tactics": [ - "Reconnaissance" - ], - "techniques": [ - "T1593" - ] - } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]", + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "LogicAppsCategory": "security", + "hidden-SentinelTemplateName": "PlaybookName", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]" + ], "properties": { - "description": "Flare Analytics Rule 4", - "parentId": "[variables('analyticRuleId4')]", - "contentId": "[variables('_analyticRulecontentId4')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion4')]", - "source": { - "kind": "Solution", - "name": "Flare", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Flare Integration Team", - "email": "[variables('_email')]" - }, - "support": { - "name": "Flare", - "email": "contact@flare.io", - "tier": "Partner", - "link": "https://flare.io/company/contact/" - } - } - } - ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", - "name": "[variables('analyticRuleTemplateSpecName5')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Flare Analytics Rule 5 with template", - "displayName": "Flare Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName5'),'/',variables('analyticRuleVersion5'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName5'))]" - ], - "properties": { - "description": "FlareHost_AnalyticalRules Analytics Rule with template version 2.1.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion5')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId5')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Results found relating to IP, domain or host", - "displayName": "Flare Host result", - "enabled": false, - "query": "Firework_CL\n| where source_s contains \"driller_shodan\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "dataTypes": [ - "Firework_CL" - ], - "connectorId": "Flare" + "state": "Disabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "actions": { + "For_each": { + "actions": { + "For_each_2": { + "actions": { + "For_each_3": { + "actions": { + "Send_an_email_(V2)": { + "inputs": { + "body": { + "Body": "

Hello,
\n
\nThis is a message to warn you we believe a password you had been using has  been leaked online, as part of a data breach.
\n
\nIf the following password is one you are still using commonly, we recommend changing it as soon as possible.
\n
\n@{items('For_each_3')['hash']}
\n
\nIn addition we want to remind you not to use your corporate email address to register to services outside of work.
\n
\nCordially,
\n
\nSecurity Team
\n

", + "Subject": "Possible compromised password", + "To": "blank@flare.systems" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "method": "post", + "path": "/v2/Mail" + }, + "type": "ApiConnection" + } + }, + "foreach": "@items('For_each_2')['passwords']", + "type": "Foreach" + } + }, + "foreach": "@body('Parse_JSON')", + "runAfter": { + "Parse_JSON": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Parse_JSON": { + "inputs": { + "content": "@items('For_each')", + "schema": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "passwords": { + "items": { + "properties": { + "extra": { + "type": "object" + }, + "hash": { + "type": "string" + }, + "hash_type": { + "type": "string" + }, + "id": { + "type": "integer" + }, + "imported_at": { + "type": "string" + }, + "source_id": { + "type": "string" + }, + "source_params": { + "properties": { + "line": { + "type": "integer" + } + }, + "type": "object" + } + }, + "required": [ + "id", + "hash", + "hash_type", + "extra", + "domain", + "source_id", + "source_params", + "imported_at" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "name", + "passwords" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "ParseJson" + } + }, + "foreach": "@variables('leaks')['leaked_credentials']", + "runAfter": { + "Initialize_variable": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Initialize_variable": { + "inputs": { + "variables": [ + { + "name": "leaks", + "type": "object", + "value": "@json(body('Parse_JSON_2')['Custom Details'])" + } + ] + }, + "runAfter": { + "Parse_JSON_2": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" + }, + "Parse_JSON_2": { + "inputs": { + "content": "@triggerBody()?['ExtendedProperties']", + "schema": { + "properties": { + "Analytic Rule Ids": { + "type": "string" + }, + "Analytic Rule Name": { + "type": "string" + }, + "Custom Details": { + "type": "string" + }, + "Data Sources": { + "type": "string" + }, + "Event Grouping": { + "type": "string" + }, + "ProcessedBySentinel": { + "type": "string" + }, + "Query": { + "type": "string" + }, + "Query End Time UTC": { + "type": "string" + }, + "Query Period": { + "type": "string" + }, + "Query Start Time UTC": { + "type": "string" + }, + "Search Query Results Overall Count": { + "type": "string" + }, + "Trigger Operator": { + "type": "string" + }, + "Trigger Threshold": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "ParseJson" + } + }, + "contentVersion": "1.0.0.0", + "triggers": { + "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": { + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/subscribe" + }, + "type": "ApiConnectionWebhook" + } } - ], - "tactics": [ - "Reconnaissance" - ], - "techniques": [ - "T1596" - ] + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[[variables('AzureSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "office365": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]", + "connectionName": "[[variables('o365ConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" + } + } + } + } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]", "properties": { - "description": "Flare Analytics Rule 5", - "parentId": "[variables('analyticRuleId5')]", - "contentId": "[variables('_analyticRulecontentId5')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion5')]", + "parentId": "[variables('playbookId1')]", + "contentId": "[variables('_playbookContentId1')]", + "kind": "Playbook", + "version": "[variables('playbookVersion1')]", "source": { "kind": "Solution", "name": "Flare", "sourceId": "[variables('_solutionId')]" }, "author": { - "name": "Flare Integration Team", + "name": "Flare", "email": "[variables('_email')]" }, "support": { "name": "Flare", - "email": "contact@flare.io", + "email": "support@flare.io", "tier": "Partner", - "link": "https://flare.io/company/contact/" + "link": "https://flare.io/contact/" } } } - ] + ], + "metadata": { + "title": "credential-warning", + "description": "This playbook monitors all data received from Firework looking for leaked credentials (email:password combinations). When found, this playbook will send an email to the email address warning their password has been leaked, recommending appropriate measures if necessary. To learn more about how to connect Firework to Microsoft Sentinel, see the [API documentation](https://docs.flared.io/azure-sentinel-integration).", + "lastUpdateTime": "2022-07-31T00:00:00Z", + "releaseNotes": [ + { + "version": "1.0.0", + "title": "credential-warning", + "notes": [ + "Initial version" + ] + } + ] + } } } }, { "type": "Microsoft.Resources/templateSpecs", "apiVersion": "2022-02-01", - "name": "[variables('analyticRuleTemplateSpecName6')]", + "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", "location": "[parameters('workspace-location')]", "tags": { "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", "hidden-sentinelContentType": "AnalyticsRule" }, "properties": { - "description": "Flare Analytics Rule 6 with template", + "description": "Flare Analytics Rule 1 with template", "displayName": "Flare Analytics Rule template" } }, { "type": "Microsoft.Resources/templateSpecs/versions", "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName6'),'/',variables('analyticRuleVersion6'))]", + "name": "[concat(variables('analyticRuleObject1').analyticRuleTemplateSpecName1,'/',variables('analyticRuleObject1').analyticRuleVersion1)]", "location": "[parameters('workspace-location')]", "tags": { "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", "hidden-sentinelContentType": "AnalyticsRule" }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName6'))]" + "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject1').analyticRuleTemplateSpecName1)]" ], "properties": { - "description": "FlareInfectedDevice_AnalyticalRules Analytics Rule with template version 2.1.0", + "description": "FlareCloudBucket_AnalyticalRules Analytics Rule with template version 2.1.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion6')]", + "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId6')]", - "apiVersion": "2022-04-01-preview", + "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Infected Device found on darkweb or Telegram", - "displayName": "Flare Infected Device", + "description": "Results found on an publicly available cloud bucket", + "displayName": "Flare Cloud bucket result", "enabled": false, - "query": "Firework_CL\n| where category_name_s contains \"Infected Device\" or source_s==\"genesis_market\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n", + "query": "FireworkV2_CL\n| where source_s contains \"Grayhat_warfare\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n", "queryFrequency": "PT1H", "queryPeriod": "PT1H", "severity": "Medium", @@ -1021,44 +678,44 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Flare", "dataTypes": [ - "Firework_CL" - ], - "connectorId": "Flare" + "FireworkV2_CL" + ] } ], "tactics": [ - "CredentialAccess" + "Reconnaissance" ], "techniques": [ - "T1555" + "T1593" ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", "properties": { - "description": "Flare Analytics Rule 6", - "parentId": "[variables('analyticRuleId6')]", - "contentId": "[variables('_analyticRulecontentId6')]", + "description": "Flare Analytics Rule 1", + "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion6')]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", "source": { "kind": "Solution", "name": "Flare", "sourceId": "[variables('_solutionId')]" }, "author": { - "name": "Flare Integration Team", + "name": "Flare", "email": "[variables('_email')]" }, "support": { "name": "Flare", - "email": "contact@flare.io", + "email": "support@flare.io", "tier": "Partner", - "link": "https://flare.io/company/contact/" + "link": "https://flare.io/contact/" } } } @@ -1069,48 +726,48 @@ { "type": "Microsoft.Resources/templateSpecs", "apiVersion": "2022-02-01", - "name": "[variables('analyticRuleTemplateSpecName7')]", + "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", "location": "[parameters('workspace-location')]", "tags": { "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", "hidden-sentinelContentType": "AnalyticsRule" }, "properties": { - "description": "Flare Analytics Rule 7 with template", + "description": "Flare Analytics Rule 2 with template", "displayName": "Flare Analytics Rule template" } }, { "type": "Microsoft.Resources/templateSpecs/versions", "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName7'),'/',variables('analyticRuleVersion7'))]", + "name": "[concat(variables('analyticRuleObject2').analyticRuleTemplateSpecName2,'/',variables('analyticRuleObject2').analyticRuleVersion2)]", "location": "[parameters('workspace-location')]", "tags": { "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", "hidden-sentinelContentType": "AnalyticsRule" }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName7'))]" + "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject2').analyticRuleTemplateSpecName2)]" ], "properties": { - "description": "FlarePaste_AnalyticalRules Analytics Rule with template version 2.1.0", + "description": "FlareCredentialLeaks_AnalyticalRules Analytics Rule with template version 2.1.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion7')]", + "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId7')]", - "apiVersion": "2022-04-01-preview", + "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Result found on code Snippet (paste) sharing platform", - "displayName": "Flare Paste result", + "description": "Searches for Flare Leaked Credentials", + "displayName": "Flare Leaked Credentials", "enabled": false, - "query": "Firework_CL\n| where source_s in (\"gist_github\",\"Pastebin\",\"driller_stackexchange\") and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n", + "query": "FireworkV2_CL\n| where notempty(data_new_leaks_s) and source_s != 'stealer_logs_samples'\n", "queryFrequency": "PT1H", "queryPeriod": "PT1H", "severity": "Medium", @@ -1121,44 +778,44 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Flare", "dataTypes": [ - "Firework_CL" - ], - "connectorId": "Flare" + "FireworkV2_CL" + ] } ], "tactics": [ - "Reconnaissance" + "CredentialAccess" ], "techniques": [ - "T1593" + "T1110" ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", "properties": { - "description": "Flare Analytics Rule 7", - "parentId": "[variables('analyticRuleId7')]", - "contentId": "[variables('_analyticRulecontentId7')]", + "description": "Flare Analytics Rule 2", + "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion7')]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", "source": { "kind": "Solution", "name": "Flare", "sourceId": "[variables('_solutionId')]" }, "author": { - "name": "Flare Integration Team", + "name": "Flare", "email": "[variables('_email')]" }, "support": { "name": "Flare", - "email": "contact@flare.io", + "email": "support@flare.io", "tier": "Partner", - "link": "https://flare.io/company/contact/" + "link": "https://flare.io/contact/" } } } @@ -1169,48 +826,48 @@ { "type": "Microsoft.Resources/templateSpecs", "apiVersion": "2022-02-01", - "name": "[variables('analyticRuleTemplateSpecName8')]", + "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", "location": "[parameters('workspace-location')]", "tags": { "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", "hidden-sentinelContentType": "AnalyticsRule" }, "properties": { - "description": "Flare Analytics Rule 8 with template", + "description": "Flare Analytics Rule 3 with template", "displayName": "Flare Analytics Rule template" } }, { "type": "Microsoft.Resources/templateSpecs/versions", "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName8'),'/',variables('analyticRuleVersion8'))]", + "name": "[concat(variables('analyticRuleObject3').analyticRuleTemplateSpecName3,'/',variables('analyticRuleObject3').analyticRuleVersion3)]", "location": "[parameters('workspace-location')]", "tags": { "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", "hidden-sentinelContentType": "AnalyticsRule" }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName8'))]" + "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject3').analyticRuleTemplateSpecName3)]" ], "properties": { - "description": "FlareSourceCode_AnalyticalRules Analytics Rule with template version 2.1.0", + "description": "FlareDork_AnalyticalRules Analytics Rule with template version 2.1.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion8')]", + "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId8')]", - "apiVersion": "2022-04-01-preview", + "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Result found on Code Sharing platform", - "displayName": "Flare Source Code found", + "description": "Results using a dork on google was found", + "displayName": "Flare Google Dork result found", "enabled": false, - "query": "Firework_CL\n| where source_s contains \"driller_github\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n", + "query": "FireworkV2_CL\n| where source_s contains \"google_search\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n", "queryFrequency": "PT1H", "queryPeriod": "PT1H", "severity": "Medium", @@ -1221,10 +878,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Flare", "dataTypes": [ - "Firework_CL" - ], - "connectorId": "Flare" + "FireworkV2_CL" + ] } ], "tactics": [ @@ -1238,27 +895,27 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", "properties": { - "description": "Flare Analytics Rule 8", - "parentId": "[variables('analyticRuleId8')]", - "contentId": "[variables('_analyticRulecontentId8')]", + "description": "Flare Analytics Rule 3", + "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion8')]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", "source": { "kind": "Solution", "name": "Flare", "sourceId": "[variables('_solutionId')]" }, "author": { - "name": "Flare Integration Team", + "name": "Flare", "email": "[variables('_email')]" }, "support": { "name": "Flare", - "email": "contact@flare.io", + "email": "support@flare.io", "tier": "Partner", - "link": "https://flare.io/company/contact/" + "link": "https://flare.io/contact/" } } } @@ -1269,48 +926,48 @@ { "type": "Microsoft.Resources/templateSpecs", "apiVersion": "2022-02-01", - "name": "[variables('analyticRuleTemplateSpecName9')]", + "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]", "location": "[parameters('workspace-location')]", "tags": { "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", "hidden-sentinelContentType": "AnalyticsRule" }, "properties": { - "description": "Flare Analytics Rule 9 with template", + "description": "Flare Analytics Rule 4 with template", "displayName": "Flare Analytics Rule template" } }, { "type": "Microsoft.Resources/templateSpecs/versions", "apiVersion": "2022-02-01", - "name": "[concat(variables('analyticRuleTemplateSpecName9'),'/',variables('analyticRuleVersion9'))]", + "name": "[concat(variables('analyticRuleObject4').analyticRuleTemplateSpecName4,'/',variables('analyticRuleObject4').analyticRuleVersion4)]", "location": "[parameters('workspace-location')]", "tags": { "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", "hidden-sentinelContentType": "AnalyticsRule" }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName9'))]" + "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject4').analyticRuleTemplateSpecName4)]" ], "properties": { - "description": "FlareSSLcert_AnalyticalRules Analytics Rule with template version 2.1.0", + "description": "FlareHost_AnalyticalRules Analytics Rule with template version 2.1.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion9')]", + "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId9')]", - "apiVersion": "2022-04-01-preview", + "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "SSL Certificate registration found", - "displayName": "Flare SSL Certificate result", + "description": "Results found relating to IP, domain or host", + "displayName": "Flare Host result", "enabled": false, - "query": "Firework_CL\n| where source_s contains \"certstream\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n", + "query": "FireworkV2_CL\n| where source_s contains \"driller_shodan\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n", "queryFrequency": "PT1H", "queryPeriod": "PT1H", "severity": "Medium", @@ -1321,44 +978,44 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Flare", "dataTypes": [ - "Firework_CL" - ], - "connectorId": "Flare" + "FireworkV2_CL" + ] } ], "tactics": [ - "ResourceDevelopment" + "Reconnaissance" ], "techniques": [ - "T1583" + "T1596" ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]", "properties": { - "description": "Flare Analytics Rule 9", - "parentId": "[variables('analyticRuleId9')]", - "contentId": "[variables('_analyticRulecontentId9')]", + "description": "Flare Analytics Rule 4", + "parentId": "[variables('analyticRuleObject4').analyticRuleId4]", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion9')]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]", "source": { "kind": "Solution", "name": "Flare", "sourceId": "[variables('_solutionId')]" }, "author": { - "name": "Flare Integration Team", + "name": "Flare", "email": "[variables('_email')]" }, "support": { "name": "Flare", - "email": "contact@flare.io", + "email": "support@flare.io", "tier": "Partner", - "link": "https://flare.io/company/contact/" + "link": "https://flare.io/contact/" } } } @@ -1369,457 +1026,396 @@ { "type": "Microsoft.Resources/templateSpecs", "apiVersion": "2022-02-01", - "name": "[variables('playbookTemplateSpecName1')]", + "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]", "location": "[parameters('workspace-location')]", "tags": { "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Playbook" + "hidden-sentinelContentType": "AnalyticsRule" }, "properties": { - "description": "credential-warning playbook", - "displayName": "credential-warning playbook" + "description": "Flare Analytics Rule 5 with template", + "displayName": "Flare Analytics Rule template" } }, { "type": "Microsoft.Resources/templateSpecs/versions", "apiVersion": "2022-02-01", - "name": "[concat(variables('playbookTemplateSpecName1'),'/',variables('playbookVersion1'))]", + "name": "[concat(variables('analyticRuleObject5').analyticRuleTemplateSpecName5,'/',variables('analyticRuleObject5').analyticRuleVersion5)]", "location": "[parameters('workspace-location')]", "tags": { "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Playbook" + "hidden-sentinelContentType": "AnalyticsRule" }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName1'))]" + "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject5').analyticRuleTemplateSpecName5)]" ], "properties": { - "description": "credential-warning Playbook with template version 2.1.0", + "description": "FlareInfectedDevice_AnalyticalRules Analytics Rule with template version 2.1.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion1')]", - "parameters": { - "PlaybookName": { - "defaultValue": "credential-warning", - "type": "string" - } - }, - "variables": { - "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", - "o365ConnectionName": "[[concat('o365-', parameters('PlaybookName'))]", - "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "_connection-1": "[[variables('connection-1')]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]", - "_connection-2": "[[variables('connection-2')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, + "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", + "parameters": {}, + "variables": {}, "resources": [ { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('AzureSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-1')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('o365ConnectionName')]", - "location": "[[variables('workspace-location-inline')]", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", "properties": { - "displayName": "[[parameters('PlaybookName')]", - "api": { - "id": "[[variables('_connection-2')]" - } + "description": "Infected Device found on darkweb or Telegram", + "displayName": "Flare Infected Device", + "enabled": false, + "query": "FireworkV2_CL\n| where category_name_s contains \"Infected Device\" or source_s==\"genesis_market\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Flare", + "dataTypes": [ + "FireworkV2_CL" + ] + } + ], + "tactics": [ + "CredentialAccess" + ], + "techniques": [ + "T1555" + ] } }, { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2017-07-01", - "name": "[[parameters('PlaybookName')]", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "LogicAppsCategory": "security", - "hidden-SentinelTemplateName": "PlaybookName", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]" - ], + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]", "properties": { - "state": "Disabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "actions": { - "For_each": { - "actions": { - "For_each_2": { - "actions": { - "For_each_3": { - "actions": { - "Send_an_email_(V2)": { - "inputs": { - "body": { - "Body": "

Hello,
\n
\nThis is a message to warn you we believe a password you had been using has  been leaked online, as part of a data breach.
\n
\nIf the following password is one you are still using commonly, we recommend changing it as soon as possible.
\n
\n@{items('For_each_3')['hash']}
\n
\nIn addition we want to remind you not to use your corporate email address to register to services outside of work.
\n
\nCordially,
\n
\nSecurity Team
\n

", - "Subject": "Possible compromised password", - "To": "blank@flare.systems" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['office365']['connectionId']" - } - }, - "method": "post", - "path": "/v2/Mail" - }, - "type": "ApiConnection" - } - }, - "foreach": "@items('For_each_2')['passwords']", - "type": "Foreach" - } - }, - "foreach": "@body('Parse_JSON')", - "runAfter": { - "Parse_JSON": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "Parse_JSON": { - "inputs": { - "content": "@items('For_each')", - "schema": { - "items": { - "properties": { - "name": { - "type": "string" - }, - "passwords": { - "items": { - "properties": { - "extra": { - "type": "object" - }, - "hash": { - "type": "string" - }, - "hash_type": { - "type": "string" - }, - "id": { - "type": "integer" - }, - "imported_at": { - "type": "string" - }, - "source_id": { - "type": "string" - }, - "source_params": { - "properties": { - "line": { - "type": "integer" - } - }, - "type": "object" - } - }, - "required": [ - "id", - "hash", - "hash_type", - "extra", - "domain", - "source_id", - "source_params", - "imported_at" - ], - "type": "object" - }, - "type": "array" - } - }, - "required": [ - "name", - "passwords" - ], - "type": "object" - }, - "type": "array" - } - }, - "type": "ParseJson" - } - }, - "foreach": "@variables('leaks')['leaked_credentials']", - "runAfter": { - "Initialize_variable": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "Initialize_variable": { - "inputs": { - "variables": [ - { - "name": "leaks", - "type": "object", - "value": "@json(body('Parse_JSON_2')['Custom Details'])" - } - ] - }, - "runAfter": { - "Parse_JSON_2": [ - "Succeeded" - ] - }, - "type": "InitializeVariable" - }, - "Parse_JSON_2": { - "inputs": { - "content": "@triggerBody()?['ExtendedProperties']", - "schema": { - "properties": { - "Analytic Rule Ids": { - "type": "string" - }, - "Analytic Rule Name": { - "type": "string" - }, - "Custom Details": { - "type": "string" - }, - "Data Sources": { - "type": "string" - }, - "Event Grouping": { - "type": "string" - }, - "ProcessedBySentinel": { - "type": "string" - }, - "Query": { - "type": "string" - }, - "Query End Time UTC": { - "type": "string" - }, - "Query Period": { - "type": "string" - }, - "Query Start Time UTC": { - "type": "string" - }, - "Search Query Results Overall Count": { - "type": "string" - }, - "Trigger Operator": { - "type": "string" - }, - "Trigger Threshold": { - "type": "string" - } - }, - "type": "object" - } - }, - "type": "ParseJson" - } - }, - "contentVersion": "1.0.0.0", - "triggers": { - "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": { - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "path": "/subscribe" - }, - "type": "ApiConnectionWebhook" - } - } + "description": "Flare Analytics Rule 5", + "parentId": "[variables('analyticRuleObject5').analyticRuleId5]", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]", + "source": { + "kind": "Solution", + "name": "Flare", + "sourceId": "[variables('_solutionId')]" }, - "parameters": { - "$connections": { - "value": { - "azuresentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "connectionName": "[[variables('AzureSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - }, - "office365": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('o365ConnectionName'))]", - "connectionName": "[[variables('o365ConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/office365')]" - } - } - } + "author": { + "name": "Flare", + "email": "[variables('_email')]" + }, + "support": { + "name": "Flare", + "email": "support@flare.io", + "tier": "Partner", + "link": "https://flare.io/contact/" } } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/templateSpecs", + "apiVersion": "2022-02-01", + "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "AnalyticsRule" + }, + "properties": { + "description": "Flare Analytics Rule 6 with template", + "displayName": "Flare Analytics Rule template" + } + }, + { + "type": "Microsoft.Resources/templateSpecs/versions", + "apiVersion": "2022-02-01", + "name": "[concat(variables('analyticRuleObject6').analyticRuleTemplateSpecName6,'/',variables('analyticRuleObject6').analyticRuleVersion6)]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "AnalyticsRule" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject6').analyticRuleTemplateSpecName6)]" + ], + "properties": { + "description": "FlarePaste_AnalyticalRules Analytics Rule with template version 2.1.1", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Result found on code Snippet (paste) sharing platform", + "displayName": "Flare Paste result", + "enabled": false, + "query": "FireworkV2_CL\n| where source_s in (\"gist_github\",\"Pastebin\",\"driller_stackexchange\") and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Flare", + "dataTypes": [ + "FireworkV2_CL" + ] + } + ], + "tactics": [ + "Reconnaissance" + ], + "techniques": [ + "T1593" + ] + } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]", "properties": { - "parentId": "[variables('playbookId1')]", - "contentId": "[variables('_playbookContentId1')]", - "kind": "Playbook", - "version": "[variables('playbookVersion1')]", + "description": "Flare Analytics Rule 6", + "parentId": "[variables('analyticRuleObject6').analyticRuleId6]", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]", "source": { "kind": "Solution", "name": "Flare", "sourceId": "[variables('_solutionId')]" }, "author": { - "name": "Flare Integration Team", + "name": "Flare", "email": "[variables('_email')]" }, "support": { "name": "Flare", - "email": "contact@flare.io", + "email": "support@flare.io", "tier": "Partner", - "link": "https://flare.io/company/contact/" + "link": "https://flare.io/contact/" } } } - ], - "metadata": { - "title": "credential-warning", - "description": "This playbook monitors all data received from Firework looking for leaked credentials (email:password combinations). When found, this playbook will send an email to the email address warning their password has been leaked, recommending appropriate measures if necessary. To learn more about how to connect Firework to Microsoft Sentinel, see the [API documentation](https://docs.flared.io/azure-sentinel-integration).", - "lastUpdateTime": "2022-07-31T00:00:00Z", - "releaseNotes": [ - { - "version": "1.0.0", - "title": "credential-warning", - "notes": [ - "Initial version" + ] + } + } + }, + { + "type": "Microsoft.Resources/templateSpecs", + "apiVersion": "2022-02-01", + "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "AnalyticsRule" + }, + "properties": { + "description": "Flare Analytics Rule 7 with template", + "displayName": "Flare Analytics Rule template" + } + }, + { + "type": "Microsoft.Resources/templateSpecs/versions", + "apiVersion": "2022-02-01", + "name": "[concat(variables('analyticRuleObject7').analyticRuleTemplateSpecName7,'/',variables('analyticRuleObject7').analyticRuleVersion7)]", + "location": "[parameters('workspace-location')]", + "tags": { + "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", + "hidden-sentinelContentType": "AnalyticsRule" + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject7').analyticRuleTemplateSpecName7)]" + ], + "properties": { + "description": "FlareSourceCode_AnalyticalRules Analytics Rule with template version 2.1.1", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Result found on Code Sharing platform", + "displayName": "Flare Source Code found", + "enabled": false, + "query": "FireworkV2_CL\n| where source_s contains \"driller_github\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Flare", + "dataTypes": [ + "FireworkV2_CL" + ] + } + ], + "tactics": [ + "Reconnaissance" + ], + "techniques": [ + "T1593" ] } - ] - } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]", + "properties": { + "description": "Flare Analytics Rule 7", + "parentId": "[variables('analyticRuleObject7').analyticRuleId7]", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]", + "source": { + "kind": "Solution", + "name": "Flare", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Flare", + "email": "[variables('_email')]" + }, + "support": { + "name": "Flare", + "email": "support@flare.io", + "tier": "Partner", + "link": "https://flare.io/contact/" + } + } + } + ] } } }, { "type": "Microsoft.Resources/templateSpecs", "apiVersion": "2022-02-01", - "name": "[variables('workbookTemplateSpecName1')]", + "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]", "location": "[parameters('workspace-location')]", "tags": { "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Workbook" + "hidden-sentinelContentType": "AnalyticsRule" }, "properties": { - "description": "Flare Workbook with template", - "displayName": "Flare workbook template" + "description": "Flare Analytics Rule 8 with template", + "displayName": "Flare Analytics Rule template" } }, { "type": "Microsoft.Resources/templateSpecs/versions", "apiVersion": "2022-02-01", - "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]", + "name": "[concat(variables('analyticRuleObject8').analyticRuleTemplateSpecName8,'/',variables('analyticRuleObject8').analyticRuleVersion8)]", "location": "[parameters('workspace-location')]", "tags": { "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Workbook" + "hidden-sentinelContentType": "AnalyticsRule" }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]" + "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleObject8').analyticRuleTemplateSpecName8)]" ], "properties": { - "description": "FlareSystemsFireworkOverviewWorkbook with template version 2.1.0", + "description": "FlareSSLcert_AnalyticalRules Analytics Rule with template version 2.1.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('workbookVersion1')]", + "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", "parameters": {}, "variables": {}, "resources": [ { - "type": "Microsoft.Insights/workbooks", - "name": "[variables('workbookContentId1')]", + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", "location": "[parameters('workspace-location')]", - "kind": "shared", - "apiVersion": "2021-08-01", - "metadata": { - "description": "Select the time range for this Overview." - }, "properties": { - "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Firework Logs by risk score\\n---\\n\\nThese are all your logs that came from Firework in the past 30 days, where each line represents a specific risk score\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Firework_CL\\n| make-series num=count() on timestamp_t from ago(30d) to now() step 8h by strcat(\\\"Risk Score \\\", tostring(toint(risk_score_d)))\\n| render timechart \",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Risk Score 2\",\"color\":\"turquoise\"},{\"seriesName\":\"Risk Score 3\",\"color\":\"yellow\"},{\"seriesName\":\"Risk Score 4\",\"color\":\"orange\"},{\"seriesName\":\"Risk Score 1\",\"color\":\"lightBlue\"}]}},\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"# Sources of all documents collected\\n\\nData per day for the last 30 days\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Firework_CL\\n| make-series num=count() on timestamp_t from ago(30d) to now() step 1d by source_name_s\\n| where isnotempty(source_name_s)\\n| render barchart \",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Firework_CL\\n| where timestamp_t >= ago(30d)\\n| summarize num=count() by source_name_s\\n| where notempty(source_name_s)\\n| render piechart \",\"size\":2,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 6\"},{\"type\":1,\"content\":{\"json\":\"# Total Leaked Credentials received\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Firework_CL\\n| where notempty(column_ifexists('data_new_leaks_s', ''))\\n| make-series Total_Leaked_Credentials=count() on timestamp_t from ago(30d) to now() step 8h \\n| render timechart\",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Total_Leaked_Credentials\",\"color\":\"redBright\"}]}},\"name\":\"query - 4\"}],\"fromTemplateId\":\"sentinel-FireworkWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", - "version": "1.0", - "sourceId": "[variables('workspaceResourceId')]", - "category": "sentinel" + "description": "SSL Certificate registration found", + "displayName": "Flare SSL Certificate result", + "enabled": false, + "query": "FireworkV2_CL\n| where source_s contains \"certstream\" and (risk_score_d == \"3\" or risk_score_d == \"4\" or risk_score_d == \"5\")\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Flare", + "dataTypes": [ + "FireworkV2_CL" + ] + } + ], + "tactics": [ + "ResourceDevelopment" + ], + "techniques": [ + "T1583" + ] } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]", "properties": { - "description": "@{workbookKey=FireworkWorkbook; logoFileName=FlareSystems.svg; description=Select the time range for this Overview.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=FlareSystemsFirework; templateRelativePath=FlareSystemsFireworkOverview.json; subtitle=; provider=Flare Systems}.description", - "parentId": "[variables('workbookId1')]", - "contentId": "[variables('_workbookContentId1')]", - "kind": "Workbook", - "version": "[variables('workbookVersion1')]", + "description": "Flare Analytics Rule 8", + "parentId": "[variables('analyticRuleObject8').analyticRuleId8]", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]", "source": { "kind": "Solution", "name": "Flare", "sourceId": "[variables('_solutionId')]" }, "author": { - "name": "Flare Integration Team", + "name": "Flare", "email": "[variables('_email')]" }, "support": { "name": "Flare", - "email": "contact@flare.io", + "email": "support@flare.io", "tier": "Partner", - "link": "https://flare.io/company/contact/" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "contentId": "Firework_CL", - "kind": "DataType" - }, - { - "contentId": "FlareSystemsFirework", - "kind": "DataConnector" - } - ] + "link": "https://flare.io/contact/" } } } @@ -1832,9 +1428,9 @@ "apiVersion": "2022-01-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "2.1.0", + "version": "2.1.1", "kind": "Solution", - "contentSchemaVersion": "2.0.0", + "contentSchemaVersion": "3.0.0", "contentId": "[variables('_solutionId')]", "parentId": "[variables('_solutionId')]", "source": { @@ -1843,77 +1439,72 @@ "sourceId": "[variables('_solutionId')]" }, "author": { - "name": "Flare Integration Team", + "name": "Flare", "email": "[variables('_email')]" }, "support": { "name": "Flare", - "email": "contact@flare.io", + "email": "support@flare.io", "tier": "Partner", - "link": "https://flare.io/company/contact/" + "link": "https://flare.io/contact/" }, "dependencies": { "operator": "AND", "criteria": [ { "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "version": "[variables('dataConnectorCCPVersion')]" }, { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId1')]", - "version": "[variables('analyticRuleVersion1')]" + "kind": "Workbook", + "contentId": "[variables('_workbookContentId1')]", + "version": "[variables('workbookVersion1')]" }, { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId2')]", - "version": "[variables('analyticRuleVersion2')]" + "kind": "Playbook", + "contentId": "[variables('_credential-warning')]", + "version": "[variables('playbookVersion1')]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId3')]", - "version": "[variables('analyticRuleVersion3')]" + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId4')]", - "version": "[variables('analyticRuleVersion4')]" + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId5')]", - "version": "[variables('analyticRuleVersion5')]" + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId6')]", - "version": "[variables('analyticRuleVersion6')]" + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId7')]", - "version": "[variables('analyticRuleVersion7')]" + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId8')]", - "version": "[variables('analyticRuleVersion8')]" + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId9')]", - "version": "[variables('analyticRuleVersion9')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_credential-warning')]", - "version": "[variables('playbookVersion1')]" + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" }, { - "kind": "Workbook", - "contentId": "[variables('_workbookContentId1')]", - "version": "[variables('workbookVersion1')]" + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" } ] }, diff --git a/Solutions/Flare/Package/testParameters.json b/Solutions/Flare/Package/testParameters.json new file mode 100644 index 00000000000..374de0c2010 --- /dev/null +++ b/Solutions/Flare/Package/testParameters.json @@ -0,0 +1,46 @@ +{ + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "subscription": { + "type": "string", + "defaultValue": "[last(split(subscription().id, '/'))]", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "FlareSystemsFirework", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + } +} diff --git a/Solutions/Flare/ReleaseNotes.md b/Solutions/Flare/ReleaseNotes.md new file mode 100644 index 00000000000..15ea86dc510 --- /dev/null +++ b/Solutions/Flare/ReleaseNotes.md @@ -0,0 +1,15 @@ +# Release Notes + +Release notes are available starting from version 2.2.0. +Earlier versions did not have published release notes. + +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +| ----------- | ------------------------------ | ------------------------------------------------------------------------- | +| 3.0.0 | 15-12-2024 | New CFF connector that replaces deprecated Rest API connector. | +| | | New Polling config for CFF connector. | +| | | New DCR config for CFF connector. | +| | | Added Table definition for FireworkV2_CL. | +| | | Fixed Analytic Rules to handle missing columns using `column_ifexists()`. | +| | | Added `ReleaseNotes.md` file. | +| 1.0.0 | 21-10-2021 | Initial Solution Release. | + diff --git a/Solutions/Flare/SolutionMetadata.json b/Solutions/Flare/SolutionMetadata.json index c920dfbc8fb..d9fed00dd0a 100644 --- a/Solutions/Flare/SolutionMetadata.json +++ b/Solutions/Flare/SolutionMetadata.json @@ -9,8 +9,8 @@ }, "support": { "name": "Flare", - "email": "contact@flare.io", + "email": "support@flare.io", "tier": "Partner", - "link": "https://flare.io/company/contact/" + "link": "https://flare.io/contact/" } -} \ No newline at end of file +} diff --git a/Solutions/Flare/Workbooks/FlareSystemsFireworkOverview.json b/Solutions/Flare/Workbooks/FlareSystemsFireworkOverview.json index ea61c83700a..099bc1c856b 100644 --- a/Solutions/Flare/Workbooks/FlareSystemsFireworkOverview.json +++ b/Solutions/Flare/Workbooks/FlareSystemsFireworkOverview.json @@ -12,7 +12,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "Firework_CL\n| make-series num=count() on timestamp_t from ago(30d) to now() step 8h by strcat(\"Risk Score \", tostring(toint(risk_score_d)))\n| render timechart ", + "query": "FireworkV2_CL\n| make-series num=count() on timestamp_t from ago(30d) to now() step 8h by strcat(\"Risk Score \", tostring(toint(risk_score_d)))\n| render timechart ", "size": 0, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", @@ -50,7 +50,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "Firework_CL\n| make-series num=count() on timestamp_t from ago(30d) to now() step 1d by source_name_s\n| where isnotempty(source_name_s)\n| render barchart ", + "query": "FireworkV2_CL\n| make-series num=count() on timestamp_t from ago(30d) to now() step 1d by source_name_s\n| where isnotempty(source_name_s)\n| render barchart ", "size": 0, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" @@ -61,7 +61,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "Firework_CL\n| where timestamp_t >= ago(30d)\n| summarize num=count() by source_name_s\n| where notempty(source_name_s)\n| render piechart ", + "query": "FireworkV2_CL\n| where timestamp_t >= ago(30d)\n| summarize num=count() by source_name_s\n| where notempty(source_name_s)\n| render piechart ", "size": 2, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" @@ -79,7 +79,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "Firework_CL\n| where notempty(column_ifexists('data_new_leaks_s', ''))\n| make-series Total_Leaked_Credentials=count() on timestamp_t from ago(30d) to now() step 8h \n| render timechart", + "query": "FireworkV2_CL\n| where notempty(column_ifexists('data_new_leaks_s', ''))\n| make-series Total_Leaked_Credentials=count() on timestamp_t from ago(30d) to now() step 8h \n| render timechart", "size": 0, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces",