Flare Solution 3.1.0: Enhanced Threat Intelligence Detection Coverage

What Changed

Updated Flare Solution to version 3.1.0 with improved Analytic Rules and Workbooks aligned to the CFF connector’s updated schema. Added three new detection rules targeting chat platforms, lookalike domains, and underground marketplaces while removing one deprecated SSL certificate rule.

Detection Logic Updates

All existing Analytic Rules were updated from version 2.0.0 to 3.0.0 with standardized logic:

• Primary data source: FireworkV2_CL
• Core filtering: notempty(uid) and RiskScore >= 3 with index-based categorization using split(uid, “/”)[0]
• Entity types: URL, Domain, Host, Account (varies by rule type)

Updated Rules:

• Cloud Bucket: Targets driller_bucket_object and bucket indices for exposed cloud storage
• Credential Leaks: Filters leaked_credential index for exposed authentication data
• Google Dorks: Matches driller_google index for reconnaissance activity
• Host Results: Targets service index for exposed infrastructure
• Infected Devices: Filters bot and stealer_log indices for compromised endpoints
• Paste/Source Code: Targets paste and GitHub-related indices for exposed code

New Rules (v1.0.0):

• Chat Results: Monitors chat_message index for threat actor communications
• Lookalike Domains: Tracks domain index for typosquatting activity
• Marketplace Results: Monitors listing index for underground commerce

Removed:

• FlareSSLcert.yaml (SSL certificate monitoring) - functionality merged into lookalike domain detection

Workbook Improvements

Updated FlareSystemsFireworkOverview.json with schema-aligned queries:

• Fixed field references from legacy source_name to current source field
• Enhanced chart descriptions and titles for better SOC usability
• Improved leaked credential tracking using uid-based filtering

MITRE Mapping

• T1593 (Search Open Websites/Domains): Primary technique for reconnaissance rules
• T1110 (Brute Force): Credential leak detection
• T1555 (Credentials from Password Stores): Infected device monitoring
• T1583 (Acquire Infrastructure): Domain/certificate tracking
• T1596 (Search Open Technical Databases): Host reconnaissance

Affected Files

Solutions/Flare/Analytic Rules/FlareChat.yaml
Solutions/Flare/Analytic Rules/FlareCloudBucket.yaml
Solutions/Flare/Analytic Rules/FlareCredentialLeaks.yaml
Solutions/Flare/Analytic Rules/FlareDork.yaml
Solutions/Flare/Analytic Rules/FlareHost.yaml
Solutions/Flare/Analytic Rules/FlareInfectedDevice.yaml
Solutions/Flare/Analytic Rules/FlareLookalikeDomain.yaml
Solutions/Flare/Analytic Rules/FlareMarket.yaml
Solutions/Flare/Analytic Rules/FlarePaste.yaml
Solutions/Flare/Analytic Rules/FlareSSLcert.yaml
Solutions/Flare/Analytic Rules/FlareSourceCode.yaml
Solutions/Flare/Playbooks/credential-warning/azuredeploy.json
Solutions/Flare/Workbooks/FlareSystemsFireworkOverview.json
(packaging artefacts: 3.1.0.zip, ReleaseNotes.md, Solution_FlareSystemsFirework.json, createUiDefinition.json, mainTemplate.json)